I'm getting pretty pissed off the with the arrogance of US internet tech companies sidestepping formal protocol design & industry adoption because it isn't moving "fast enough" for them. Without ESNI, DoH is essentially meaningless for the class of privacy invaders it is supposed to combat against. By the time ESNI is out, DoT would have had enough time to mature and gain wide enough adoption.
DoT is better because at least it's obvious if your ISP/Gov is blocking port 853 (at which point you install a VPN or run your own resolver somewhere and tunnel to it or swap provider or move country). Meanwhile you get all the usual benefits of decentralised DNS resolution and don't have to worry about the unforeseen overhead and bullshit DoH is going to spwan.
Firefox is an app for browsing websites. What business does it have pushing a half baked compromise solution that undermines core infrastructure, creates a false sense of privacy and introduces second order effects that will result in DNS lookups being centralised in to the hands of a few giant US corporations (at least changing to 1.1.1.1 or 8.8.8.8 was opt-in).
Also can't wait for the inevitable instances of Cloudflare deciding not to resolve certain domains (effectively becoming the de-facto arbitrator of what most FF users can and cannot see on-line). For a preview of that, try going to archive.is with 1.1.1.1 as your resolver.
Ultimately, all of this is moot anyway (even once ESNI arrives). Regardless of DNS, your device still needs to connect to an IP. Entities interested in where you are going will still be able to get reasonable insight by simply correlating IP addresses and CT logs (http://blog.seanmcelroy.com/2019/01/05/ocsp-web-activity-is-...). The only decent solution to this, and available right now, is a VPN (at which point DNS privacy is automatically solved for you).
> Regardless of DNS, your device still needs to connect to an IP.
All of the bad actors from the users’ perspective (ads, tracking, etc.) will sit behind Cloudflare, Cloudfront, etc. and you won’t be able to do anything about it.
Seems to be a trend lately. Google recently announced they will start blocking downloads from http websites. Doesn't sound like a bad idea -- but isn't this more a discussion for IETF as well?
The discussion should be around improved UX/UI and better protocols rather than treating people like idiots and abusing your power to unilaterally force behaviour changes on web content providers and consumers.
The more I think about it the more I realise Microsoft's and AOL's instincts were right. Make the internet a walled garden and insert yourself as the gatekeeper.
Their mistake was to do this too early. ~25 years later and the people are now finally ready and willing to allow billion dollar coporates to overtly "manage" their on-line experience for them. Companies love this too because it removes yet one more unseemly shackle from their ambition (i.e. that of needing to work collaboratively with potential competitors) while at the same time providing them with a nice vector to defend their quasi monopoly.
DoT is better because at least it's obvious if your ISP/Gov is blocking port 853 (at which point you install a VPN or run your own resolver somewhere and tunnel to it or swap provider or move country). Meanwhile you get all the usual benefits of decentralised DNS resolution and don't have to worry about the unforeseen overhead and bullshit DoH is going to spwan.
Firefox is an app for browsing websites. What business does it have pushing a half baked compromise solution that undermines core infrastructure, creates a false sense of privacy and introduces second order effects that will result in DNS lookups being centralised in to the hands of a few giant US corporations (at least changing to 1.1.1.1 or 8.8.8.8 was opt-in).
Also can't wait for the inevitable instances of Cloudflare deciding not to resolve certain domains (effectively becoming the de-facto arbitrator of what most FF users can and cannot see on-line). For a preview of that, try going to archive.is with 1.1.1.1 as your resolver.
Ultimately, all of this is moot anyway (even once ESNI arrives). Regardless of DNS, your device still needs to connect to an IP. Entities interested in where you are going will still be able to get reasonable insight by simply correlating IP addresses and CT logs (http://blog.seanmcelroy.com/2019/01/05/ocsp-web-activity-is-...). The only decent solution to this, and available right now, is a VPN (at which point DNS privacy is automatically solved for you).
If Paul Vixie thinks DoH is a bad idea then... it's a bad fucking idea: https://twitter.com/paulvixie/status/1053765281917661184