Comment by 1vuio0pswjnm7

"Adversaries critic that all DNS queries are directed to single DNS provider who becomes the one known peeper."

There could be other "peepers", known or unknown, between the DoH provider and each authoritative nameserver.

Generally, with no exceptions that I am aware of, the DNS traffic between (a) the third party DNS provider/open resolver/shared cache/DoH provider, and (b) each authoritative nameserver is unencrypted.

"It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol."

Same problem as with DoH. Generally, the DNS traffic between (a) the third party DNS provider/open resolver/shared cache/DoT provider, and (b) each authoritative nameserver is unencrypted.

"The DNS needs security features that prevent the peepers from reading your DNS traffic. I'm all in for it. But DoH is NOT the answer to this."

The only working DNS encryption solution I am aware of is DNSCurve, making it is easy for authoritative nameservers to encrypt their responses.

I use DNSCurve via CurveDNS at home on the local network. Originally I was just testing it to see if and how it would break. That was over over 15 years ago. It is still working.

I have seen HN commenters with high karma try to discredit DNSCurve. Not because it doesn't work, but because it is not popular. There are few DNSCurve-protected authoritative nameservers on the internet. Meanwhile the most popular encryption that is used for HTTPS, including DoH, is from the same author as DNSCurve. Pay no mind.

As a proof of concept, I have thought about starting a DNS registry that requires registrants to offer DNSCurve-encrypted responses from their authoritative nameservers.

DoH has commercial motives. It is based on (yet) another weird Silicon Valley definition of "privacy". Nevertheless, I have managed to find good uses for it. For example, it allows for bulk DNS retrieval via HTTP/1.1 pipelining. It can also be useful when hotel-provided internet service is intercepting DNS. IMHO, DoH is an option that is useful to have. This is not to say I would rely on it.

Perhaps I'm generally OK with DoH because I do not use remote DNS. I stopped letting applications use remote DNS before DoH was introduced. I now use a forward proxy with all name-to-IP mappings stored in memory. DNS queries only travel over the loopback to own authoritative servers and generally all RRs point to the loopback address of the proxy. DoH is useful as a source of DNS data retrieved in bulk from various providers. It is not the only source I use.

Arguably the debate over DNS encryption is moot because domainnames appear in plaintext on the wire anyway, via the TLS "Server Name Indication" (SNI) extension.^1 TLS has become extremely popular. The extension mainly serves the needs of CDNs. The proposed Band-Aid for the harmful effects of SNI, put forth by the CDNs (i.e., the source of the problem), is known as "ECH". It is not popular.

ECH coverage is narrow. One might be able to use ECH with a specific browser and version and a Cloudflare website.^2 For the rest of the myriad software that use TLS, and the rest of the www not accessible via Cloudflare's CDN, including other major CDNs and millions of websites not hosted on major CDNs, all bets are off. The famous "example.com" certainly supports TLS. It does not support ECH. Neither does news.ycombinator.com

1. Test: https://github.com/kontaxis/snidump

2. Test: https://test.defo.ie