Sure, but that's only because your computer can't distinguish your Pi-hole blocking DNS to block ads from an evil ISP blocking DNS to censor you. And if your device supports DoH, can't you just point it to one of the many publicly-available DoH servers, or set up a DoH server on your Pi-hole and then point at that?
> It breaks SNI (Server Name Indication), also heavily used on cloud services
They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
> There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
> I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue.
Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
> DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
Isn't the alternative that your ISP is definitely looking at it?
> Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
Yes. But what’s the angle here? You trust “ISP(s) hosting your DoH server” but not “ISP providing phone connection?”
Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
> Yes. But what’s the angle here? You trust “ISP(s) hosting your DoH server” but not “ISP providing phone connection?”
Your own DoH server could just do the filtering you want and then hand off the work to another real DoH server like Cloudflare's.
> Might be a legitimate reason for that, but ultimately as with all these discussions it’s just a matter of who you’d rather give the data to.
True, but in most of the USA, your ISP is the least trustworthy choice for who to give your data to.
> And your ISP will still be able to see from SNI for the most part so… it boils down to “my ISP can see anyway (via SNI), should I also let someone else see (DoH provider)?”
> Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
Not an issue here in the EU. Alternative DNS is not blocked. Providers sometimes block the pirate bay but they're never obliged to block alternative DNS and they're not allowed to anyway as they're not allowed to do Deep Packet Inspection.
> Isn't the alternative that your ISP is definitely looking at it?
No, this is not allowed in the EU. They can see it if you use their DNS. Otherwise not.
I understand the feature that hiding the DNS traffic among other HTTPS traffic brings, but this is mainly a feature in countries without strong privacy laws. For me I would prefer to separate the traffic so I can control it myself.
And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether. DNS is only part of the equation. IP endpoints still tell them a lot. Especially on IPv6 as there's no more need for SNI.
I'm just not sure if it's a good idea to obfuscate core protocols of the internet, just to avoid an issue in certain countries that is not very well solved by this anyway. At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
However like I said I can't stop an app doing this, precisely for the reason it's obfuscated. I won't use it on my own network however.
> Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
I don't want to bother with getting public domain names and validate their IP with Let's Encrypt just because I want to use them internally. The renewal process is really complex for something that doesn't have a public IP and I don't want to have my internal DNS available on the internet (it also contains local domain names only available on my LAN and P2P VPN)
In fact encrypting that traffic on the local segment doesn't really add any value for me. I just encrypt the outbound part (from the pihole) with DoT.
> They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
It's great that you live somewhere where you don't have to worry about any of these things, but a lot of us aren't so lucky.
> And really if I'm in a country with such invasive censoring I would prefer to use a VPN and avoid their prying eyes altogether.
Those countries block VPNs.
> Especially on IPv6 as there's no more need for SNI.
I can foresee CloudFlare offering a single-IPv6 shared endpoint for the sole purpose of making eSNI/ECH remain effective.
> At the same time I have to give up a lot of valuable statistics, troubleshooting data and validation about whether apps do as they claim.
Can't you get this information directly off of your endpoint device, whether or not the traffic is encrypted over the network?
> How would that work? I control my host file. Apps can not mess with it. Not on my computer and not on my phone.
I was thinking more about IoT appliances when I wrote that. For programs on your phone or computer, they can tell their TLS library to use whatever SNI you want, so even if they did hardcode the IP in the client program, SNI could still include the right hostname.
Sure, but that's only because your computer can't distinguish your Pi-hole blocking DNS to block ads from an evil ISP blocking DNS to censor you. And if your device supports DoH, can't you just point it to one of the many publicly-available DoH servers, or set up a DoH server on your Pi-hole and then point at that?
> It breaks SNI (Server Name Indication), also heavily used on cloud services
They can just hardcode the IP in the hosts file, not in the client program. Then SNI will still work normally.
> There's better ways to do secure DNS than DoH, like DoT (DNS over TLS)
Then the people who want to do censorship and surveillance will all just block port 853. It's a feature that DoH is hard to distinguish from other HTTPS traffic.
> I like secure DNS but I still want my own server to be the middleman. With DoH this isn't easily possible, especially on mobile due to the root CA issue.
Can't you set up your own DoH server with its own domain name, get a Let's Encrypt certificate for it, then point your mobile device at that?
> DoH is normally implemented using a major player like CloudFlare. Sure, they promise not to look at it. But the phrase "Don't be evil" still is pretty fresh in my mind.
Isn't the alternative that your ISP is definitely looking at it?