It's not. In general, people who say it is fall into one of three groups:
1. People who want to censor and/or surveil other people's devices and traffic. These people hate DoH because the entire point of it is to protect against them doing so, and by running over port 443, it's really difficult for them to block it. This is the group that people who say DoH would be a good thing if only it used a network-provided DoH server, or that they wish DoT would get used more instead of DoH, usually fall into.
2. People who have a workflow that it breaks. In most cases, there's some setting or workaround for that workflow that still lets you use DoH for most Internet queries, though.
3. People who say it's making the Internet more centralized or bad for privacy. These arguments are valid to say "don't everyone use Cloudflare as your DoH provider" but not to say "don't use DoH even with other providers", since there's no reason DoH servers have to be any more centralized than regular DNS servers.
> 1. People who want to censor and/or surveil other people's devices and traffic.
This is me, with the caveat being that it's my damn device. It's only the OEM trying to say it's theirs and that I'm "censoring other people's traffic". If I bought it, I should be able to do as I like. If I tell it the DNS server is local and/or that domain is elsewhere/non-existant, I don't want it deciding otherwise and sneaking traffic out over port 443.
Unfortunately, with DoH, this now means that I have to go scorched earth and block all common DNS server IPs at the firewall. You use my gateway to resolve (DNS - 53) or you're out of luck.
I suppose it's only a matter of time before even the cheapest IoT junk just establishes a VPN to its maker's cloud and sends zero unencrypted traffic.
You should solve your problem by not putting non-FOSS IoT devices onto your network, not by doing the same kind of tactics that the bad guys trying to censor other people use. And your way will become impossible once DoH servers end up being hosted at the same IPs that important Web servers are also hosted on.
I do. But people have families, and if husbands, wives, children and grandparents want to buy a fancy lightswitch, well, we do the best we can with what we have here in reality. Should everything be FOSS? Sure, that would be wonderful. But so would exposing settings regarding which DNS server to use, and honoring them. Which is funny, because the exact companies I want to block are the ones putting out devices that do none of the above.
I definitely agree that you should be able to control what connections your own devices make. But we need to ensure that such control is only possible at the endpoint, since if it were possible at the router, then the bad guys could do that to censor other people's devices.
In your specific case, that means that while devices should offer a configuration setting for which DNS server to use, it shouldn't be via blindly listening to the possibly malicious DHCP server.
it definitely should be possible at a router level, why should i be forced to configure each device individually? that said, obviously it should be possible to override on the device level, like it already is most of the time.
> it definitely should be possible at a router level, why should i be forced to configure each device individually?
Because you shouldn't be able to control other people's devices just because they happened to connect to your Wi-Fi. And you don't have to configure them all individually anyway: you can use Group Policy, MDM, etc. to configure that setting on your whole fleet at once.
All of the traffic leaving China goes over the CCP's network. Do you think they should be able to keep censoring the whole country? Or if Comcast started censoring municipal fiber websites, would that be okay since the traffic was going through their network?
What does any of that have to do with my private home network? I don't run a country - democratic or not, nor an ISP trying to beat out competitors. This is my network that I designed for my purposes.
1. CloudFlare already gets this information since they're getting the unencrypted DNS traffic. The actual argument you're making here is that a single company owning all the data is a better situation than anybody being able to see that information.
2. Why should their workflow be broken so that the dns info gathered by CloudFlare is more valuable to CloudFlare.
3. The argument is that doh through privately owned servers is bad, so I don't know why you tried to specify that only CloudFlare is bad. DoH is, by definition, more centralized than DNS servers unless all DNS servers implement some form of doh. In which case you're not using doh and you're just updating dns to support encryption. If every DNS server doesn't implement doh then you're just adding a few centralized points which have access to unencrypted DNS data, making that data more valuable to the private entities holding it.
> The actual argument you're making here is that a single company owning all the data is a better situation than anybody being able to see that information.
Sure, but "CloudFlare can see my data but my ISP can't" is strictly better from a privacy perspective than "CloudFlare and my ISP can both see my data".
> Why should their workflow be broken
My point is their workflow doesn't actually have to be broken.
> so that the dns info gathered by CloudFlare is more valuable to CloudFlare.
Huh?
> The argument is that doh through privately owned servers is bad
How is it any worse than insecure DNS through privately owned servers, which basically everyone uses today?
> DoH is, by definition, more centralized than DNS servers unless all DNS servers implement some form of doh.
Is IPv6 also by definition more centralized than IPv4, since not all IPv4 servers implement some form of IPv6?
> In which case you're not using doh and you're just updating dns to support encryption.
What are you saying is the difference between those two things? And don't forget there's a huge anti-censorship benefit, even if you don't care about privacy at all.
> making that data more valuable to the private entities holding it.
Wait, are you arguing that reducing the number of entities that can access our data is a bad thing, since then our data will be more valuable to the ones who still can? That seems completely backwards.
> Sure, but "CloudFlare can see my data but my ISP can't" is strictly better from a privacy perspective than "CloudFlare and my ISP can both see my data".
But that's not really the trade-off here, it's about sharing data with Cloudflare that would not necessarily end up there if you were using services from your local ISP. Whether this is a good idea is more complicated. It depends on how ISPs are regulated and what they actually do with user data. Cloudflare's services, being optional in nature (the website operator or the end user chooses to use them, but not necessarily both at the same time), are likely to be less constrained by law, particularly if you are not a resident of California.
Or put differently, it's far easier to say “you shouldn't have used Cloudflare if you don't agree with their business practices” than “you shouldn't have browsed the public Internet if you don't agree with your ISP's business practices”.
This gets into my third category now. There are a ton of choices for DoH servers, and I doubt there's anyone who would consider all of them to have unacceptable privacy policies/practices, while also considering it okay from a privacy standpoint to use their ISP's DNS servers.
1) It's not a given that a single panopticon is better than more than one. In my opinion "anybody can see the data" is a better scenario than "CloudFlare can monetize the data".
2) I don't see why the workflow should be at risk of breaking if there's no good reason to introduce the new tool. Sure it's possible that requiring an animal sacrifice doesn't have to break their workflow, but why are we doing it in the first place?
3) Fully adopted IPV6 is less centralized than IPv4 since the larger address space allows for centralized layers(like nat) to be removed. IPv6 gateways in an ipv4 network would be more centralized since they would require traffic from many sources to be proxied through a single source.
In the same vein, DoH that proxies many connection through a single source would be more centralized than not proxying those connections.
The difference between DoH and updating DNS to support encryption is that the latter doesn't allow for a "CloudFlare" to exist on top of existing DNS infastructure which has exclusive access to unencrypted DNS data.
> Wait, are you arguing that reducing the number of entities that can access our data is a bad thing
It's a bit more nuanced than that. Adding doh proxies on top of existing DNS infasructure increases the number of entities that are required to access your data while decreasing the number that has access to the data to "number thats needed to function + the proxy".
I'm arguing that the number of entities that have access to the data should be "number required to function" or "everyone", "number required to function plus the proxy" only benefits the proxy because they have exclusive access to data. Data is worth money the less people have access to it, so a solution that sends data through a proxy is rife for exploitation and not the best solution.
I’m kinda lost here. Aren’t cloudflare’s dns servers available on 1.1.1.1 with the old protocol and no DoH required? I don’t understand, therefore, what you mean about some imagined dns-with-encryption not allowing cloudflare to exist. Surely it would allow similar things to regular dns? Maybe I just don’t understand what you are imagining when you write “encrypted dns”.
You ask “how so?” in another thread and then provide this false trichotomy with an unconditional “It’s not” as an opener. Shitty internet arm chair extremism at its finest.
Anyway, the fourth category is people who want to own their devices on their network and are being fought by the vendors of their Internet of things devices. When I have dns queries I can build a pattern of what it takes some rando device to operate and then lock down and alert on anything else. Can’t do that with DoH.
With DoH, I just have to allow opaque DNS smuggling to the wider Internet and hope that the device hasn’t been compromised. It’s trivial to run bidirectional c&c over DNS and DoH makes that invisible to anyone. It’s a monumental step back in security for the local network to improve the privacy of the individual device.
If it's possible for you to do what you're describing to your own IoT device, wouldn't it also be possible for you to do it to other people's laptops and phones that are on your Wi-Fi?
Might be, but that’s not my concern as an operator of my private home network.
It’s completely fine for there to be conflicting goals even held by me. I want to not have my traffic interfered with when I’m on someone else’s network but I don’t want the vulnerable internet of shit stuff to be even more opaque on my network.
Doesn't basically the whole US use either Comcast, Cox, Charter, AT&T, or Verizon? And isn't the number of people who manually choose a DNS server other than their ISP's negligible? And for DoH, besides Cloudflare, there's also Google, Mullvad, Quad9, and tons more <https://github.com/curl/curl/wiki/DNS-over-HTTPS>.
