Quick thoughts on DoH
---------------------

Zlg[1] and slugmax[2] have recently phlogged about DNS over HTTPS (or
DoH[3]).  I learned about DoH relatively recently in the course of
research for an article I was writing (which hopefully many of you
will get to read some day, which is about all I can say about that
project for now!).  I have yet to develop a strong stance on whether I
am "for" or "against" DoH.  But during my research I was struck by the
fact that the web is *full* of what I considered to be poorly written
and poorly argued "hit pieces" explaining why DoH does everything
wrong and is the work of the devil.  There was so much of this stuff,
and it was of such low quality, that I genuinely suspect somebody with
financial motives to discourage DoH adoption has been paying people to
write them.

One argument which often comes up is that DoH adoption is being pushed
by big shady surveillance friendly coporations like Google and
Cloudflare - which, to be fair, is a good reason to be suspicious of
anything - and in particular that early adopters of DoH like Android
and Mozilla are silently.

I totally understand the concern that many people will never change
those defaults, and so those few providers will swallow up a large
amount of traffic (which is not too different to how many people use
their ISPs DNS provider, and so big ISPs get a huge share of traffic).
But it seems to me this is a poor argument against DoH as a protocol,
which after all is no more centralised than HTTPS is.  There are
already non-commercial and privacy-centric DNS providers supporting
DoH (some are listed here[4]), and presumably there will be more in
the future.  Reconfiguring your browser to use one of these instead of
Cloudflare is probably no more effort than disabling DoH entirely
(which for many people will result in falling back to plaintext DNS).
Doing this shows support for improving DNS security (which is sorely
needed) without supporting centralisation or commercialisation.

None of this is to say DoH isn't without problems and is better than
alternative solutions.  I'm still not sure where I stand on that.  But
it would be a shame to potentially throw out the baby with the
bathwater because of default settings.

[1] gopher://zaibatsu.circumlunar.space:70/0/~zlg/0015_disable-doh.txt
[2] gopher://republic.circumlunar.space:70/0/~slugmax/phlog/2020-02-29-comments-on-dns-over-https
[3] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[4] https://www.privacytools.io/providers/dns/