top | item 43901041

(no title)

diogocp | 10 months ago

Your comment makes no sense. The DoH providers can still log requests and sell them.

DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.

Sending anything in clear text over the internet in 2025 is criminally negligent.

discuss

koito17|10 months ago

HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.

Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).

baq|10 months ago

Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…

wkat4242|10 months ago

Yes but in the US the ISPs are the intermediary. And the big DoH providers like Cloudflare have better privacy protection.

Here the ISPs are intermediairs too, but we have laws to prevent them from using our data using DPI etc. And even if you use their DNS.

I agree encryption is important but DoT is much better then. DoH mainly took off because of this in the US.