Comment by dabacaba
19 hours ago
DoH does wonders against ISPs which filter DNS traffic (including traffic to third-party DNS servers). This happens more often than many people realize. My ISP blocks traffic to a couple of random websites (perfectly safe and legal) just because their security system doesn't like them, and they can't do anything about that. I only wish for more websites to deploy ECH, because they are using SNI filtering as well.
>they are using SNI filtering as well
This is surprisingly easy to beat using very funny methods, like splitting the request in the middle of SNI, or sending a request with a low TTL to an unblocked website first which gets dropped then repeating it to the correct SNI.
There are more methods all of which I find very funny for some reason. You can use GoodbyeDPI on Windows and zapret on Linux.
The disadvantage of those methods is that they require installing custom software, and they don't work on mobile devices unless you put them behind a router with custom firmware. In contrast, DoH works out of the box on most operating systems, and hopefully ECH will work as well.
I guess it depends on the situation then. My ISP doesn't pull such stunts and if they did, I would switch them in a moment. Fortunately others around here don't suck either. Cloudflare (or Google, or whoever) OTOH gets waaaay too much data from everybody. For my taste at least.
I'm glad your ISP doesn't do that, but there are a lot of people not as lucky as you, and we shouldn't deny them all a major increase in privacy just to avoid having you to change one browser setting.
Very true... I used to be with Sky here in the UK, and at the time they were running a transparent proxy on port 53. Changing DNS providers made no difference to the dnsleaktest results. Don't know if they still do that now.
I'm now with a different ISP, and anyway have PiHole handling DNS queries on most devices in our house. It forwards DNS requests to dnscrypt-proxy running on the same Pi, which uses Quad9 over DoH.
To me, that seems awfully trusting of Cloudflare.
Instead of sending all my DNS traffic to sketchy multinational corporation A, we'll send all my traffic to sketchy multinational corporation B?
Doesn't seem like much of an increase in privacy to me.
3 replies →
My ISP does, because the government tells them to. Yes western nation so it's not government censorship.
Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.
A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
The hope is we eventually get enough things like DoH and ECH that it stops being feasible for corporate policies to block things.
3 replies →