> Today, DNS queries are generally sent unencrypted. This allows any party between the browser and the resolver to discover which website users want to visit. Such parties can already monitor the IP address with which the browser is communicating, but monitoring DNS queries can identify which specific website users seek. As more services move to cloud computing infrastructure, this distinction becomes increasingly important, because multiple websites may be consolidated under a few IP addresses, rather than each having a unique IP address.
This is super misleading. Even with DoH, any party on the network can see which websites you're talking to, because their hostnames are sent in the clear via SNI. ESNI fixes this, but it's not clear to me whether the major cloud providers are going to go for that, and if they don't it's not going anywhere.
This is super misleading. Even with DoH, any party on the network can see which websites you're talking to, because their hostnames are sent in the clear via SNI. ESNI fixes this, but it's not clear to me whether the major cloud providers are going to go for that, and if they don't it's not going anywhere.
https://news.ycombinator.com/item?id=21264814 was a good discussion of the actual security benefits of DoH.