Why not use DNS over HTTPS (DoH)?

Summary

Why not use DNS over HTTPS (DoH)? Last update: 2018-10-26 tl;dr DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries. Refuse to use it today: Open about:config in Firefox and set network.trr.mode to 5. This will prevent Firefox from using DoH under all circumstances. What is DNS over HTTPS (DoH)? DNS over HTTPS is described in RFC 8484 as a way perform DNS by wrapping it in HTTP and additionally encrypt the data using TLS. Advocates of DoH stress that the transport encryption protects your DNS queries from peepers like your ISP or your network admin at work. Adversaries critic that all DNS queries are directed to single DNS provider who becomes the one known peeper. The basic idea The basic idea behind new developments like DoH is to protect your DNS queries from peepers by implementing transport encryption. The same type of transport encryption that protects many other application protocols like HTTP and SMTP. This is a very good idea because DNS queries in clear text contain very interesting meta data about the sites you communicate with over the Internet. This can be useful information for any kind of bad guy, be it the NSA or the cyber-criminal. DoH encrypts, so it must be a good thing The public didn't care about this RFC until Mozilla announced that they implement this new protocol in Firefox for broad field testing in collaboration with Cloudflare. The first reactions to this were: “DNS gets encryption? This must be good thing.“ But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries. But Cloudflare has a data protection policy So what? Cloudflare is a commercial company. And commercial companies, by definition, must earn money. How does a modern company in the IT business earn money? By selling data. Is there an alternative way? Yes, there is. It is called DNS over TLS and is specif...