(no title)

If you don't encrypt the DNS lookup, it doesn't matter whether or not you're hiding the IP address. And it's just false in general that DoH doesn't improve privacy today, even with the current IP situation.

I mentioned this above, but there are plenty of shared hosting servers that don't have unique IP addresses for every domain. This is not an uncommon thing, and it's one of the reasons why DNS blocking is so common in firewalls, even at the ISP/nation-state level. DoH will also obscure the vast majority of subdomains for a given domain, which, again, are often sharing IPs with each other.

Aside from that, DNS leaking is also very common when inexperienced users set up VPNs, and DoH basically gets rid of plaintext DNS leaks entirely.

Look, would it be nice to get rid of IP addresses? Yes. Does anybody have a scalable solution for getting rid of IP addresses that can be deployed today? No. The closest we have is the Tor network, which is not fast enough or robust enough to handle everyone on the Internet. I have very little sympathy for the argument that because SNI encryption isn't completely rolled out yet and because everyone isn't on Tor that we should ignore solveable security/privacy problems in the meantime.

There are multiple privacy issues with the way we currently connect to websites, and DoH solves one of those issues with very little if any downside. It's worth doing.

> This is basic computer and network engineering. If you want to encrypt DNS, fine encrypt DNS, but flipping leave the HTTPS protocol out of it!

Why? Why not use a single protocol that's widely tested and trusted by security experts? I mean, we didn't come up with a brand new encryption strategy for FTP, we made FTPS.

Why on earth would we want to use 5 different encryption protocols in the browser? That's just pointlessly adding attack surface. What's wrong with HTTPS that means it's a bad fit for encrypting a DNS query? A DNS query is essentially at its core an HTTP request to a remote server, and HTTPS is already very good at encrypting HTTP requests. There's no need to reinvent the wheel here.

By and large, I have not seen any real criticism of using HTTPS for DNS from security experts based on the technology itself -- they all seem to think the technology is fine. Virtually all of the current criticism from industry is coming from corporate players and ISPs who are mad that they won't be able to monitor DNS queries any more. And the fact that they're mad about that is strong evidence that DoH does provide a security gain. Corporations and ISPs would not be complaining about a privacy feature with no benefit to consumer privacy.

> it's nothing more than extra sugar on Cloudflares spying cake - and more funding for Mozilla

This is just blatant conspiracy. It's no harder for anyone to set up a DoH server than it is for them to set up a DNS server. There is nothing in DoH that gives Cloudflare more control over the web other than that they currently sponsor one of (if not the) most private DoH servers on the web today.

You can go into Firefox today and use any DoH server you want with zero consequence or downside. Chrome, by far the dominant browser on the web, does not use Cloudflare's DoH servers by default. There are reasons to be skeptical of Cloudflare in general, but if DoH in particular is a power grab by Cloudflare, then it's a pretty ineffective one.