> And now they have a one-stop shop for all their DNS surveillance needs.

There are a few dozens of DoH services out there [1] and nothing prevents anybody else from running their own.

[1] https://github.com/curl/curl/wiki/DNS-over-HTTPS

But Mozilla's justification tables around making security better for all users by dictating default settings that are expected not to change. So, defaults need to achieve the goals.

How many of those "dozens" would you consider usable as a default for a browser?

Well it’s absolutely happening right now to every unencrypted DNS server, so what’s your point?

DNS is the most openly insecure aspect of the entire internet. It’s wide open.

So you’re arguing that everybody should switch to DNS over TLS (DoT), then? Sounds great!

DNS over TLS is just DoH but with an easily blocked separate port

Which is great from a local sysadmin perspective. With DoH I have no control of what various apps on devices on my devices are querying.

Or in other words, DoH works better on hostile networks because it looks like just one more HTTPS connection.

That's an intentional design feature. You're attempting to intercept traffic, and any mechanism you could use to do so "transparently" could be used by any hostile network to do so.

You can still intercept traffic from cooperating devices if you want, just not transparently. That's a feature, not a bug, and the Internet will be better for it.

Right, but I do think this is better handled at the OS layer. Hardcoding everyone to route through Cloudflare is a hardly a net win, and might be better or worse than your ISP depending on who and where you are.

https://support.mozilla.org/en-US/kb/canary-domain-use-appli..., also if you can block it this easily so can the government. The difference with a canary domain is that mozilla can disable it if its misused.

1) other applications or malware won't respect canary domain

2) to implement this canary, you have to break DNSSEC on entire .net root domain. Great.