Everybody should be using DNS over HTTPS (DoH) or over TLS (DoT) nowadays. Clear DNS is way too easy to subvert and even when it’s not being tampered with most ISP snoop on it to compile statistics about what their customers visit.
DoH and DoT aren’t a full-proof solution though. HTTPS connections still leak domain names when the target server doesn’t use Encrypted Hello (ECH) and you need to be using DoH for ECH to work.
Even if all that is in place, a determined ISP, workplace or state actor can identify DoH/DoT servers and compile block lists, perform deep packet inspection to detect such connections regardless of server, or set up their own honey trap servers.
There’s also the negative side of DoH/DoT, when appliances and IoT devices on your network use it to bypass your control over your LAN.
How would they do DPI on DNS packets routed using DoH? It looks like HTTPS traffic, it’s encrypted, and other than size and frequency I don’t see how they can gey anything out of it. Yeah they’ll get the SNI with eCH but that’s supported by FF and by a lot of providers using DoH
Everybody should be using DNS over HTTPS (DoH) or over TLS (DoT) nowadays. Clear DNS is way too easy to subvert and even when it’s not being tampered with most ISP snoop on it to compile statistics about what their customers visit.
DoH and DoT aren’t a full-proof solution though. HTTPS connections still leak domain names when the target server doesn’t use Encrypted Hello (ECH) and you need to be using DoH for ECH to work.
Even if all that is in place, a determined ISP, workplace or state actor can identify DoH/DoT servers and compile block lists, perform deep packet inspection to detect such connections regardless of server, or set up their own honey trap servers.
There’s also the negative side of DoH/DoT, when appliances and IoT devices on your network use it to bypass your control over your LAN.
How would they do DPI on DNS packets routed using DoH? It looks like HTTPS traffic, it’s encrypted, and other than size and frequency I don’t see how they can gey anything out of it. Yeah they’ll get the SNI with eCH but that’s supported by FF and by a lot of providers using DoH