> Once DoH (and certificate pinning to go along with it, to prevent you MiTM'ing the requests) is pervasive you won't get to control DNS on devices where you can't execute arbitrary code. That ship has sailed.
This isn't entirely the case. I have regained this control on my own machines by implementing a proxy that MITMs all HTTPS connections that happen over my network.
Certificate pinning won't allow this to be evaded -- all it will do is prevent the HTTPS connection from being established.
All devices that I use, including remote ones, only connect to the internet through a VPN that I run in my network, so they are all MITMd as well.
That's not a solution that everyone can pull off, and it's not a solution that I'm happy with (because I'm introducing a weakness in the security chain), but it's the best one I could think of.
This isn't entirely the case. I have regained this control on my own machines by implementing a proxy that MITMs all HTTPS connections that happen over my network.
Certificate pinning won't allow this to be evaded -- all it will do is prevent the HTTPS connection from being established.
All devices that I use, including remote ones, only connect to the internet through a VPN that I run in my network, so they are all MITMd as well.
That's not a solution that everyone can pull off, and it's not a solution that I'm happy with (because I'm introducing a weakness in the security chain), but it's the best one I could think of.