Thinking about DNS over HTTPS

I read an interesting article on the drawbacks of DNS over HTTPS (DoH) the other day.  This comes on the heels of the news that Mozilla is rolling out DoH to all Firefox users by default

I'd never really thought too much about DoH.  In general, more encryption is usually better, so my initial thought was "it's probably a good thing", but that's about as deep as it went.  After reading a little more about the down sides, I'm less convinced.  I still think it's a probably good thing that DoH exists, but I'm note so sure that it's a good idea to push everyone toward it.

My main reservation at this point is that DoH seems architecturally wrong.  It introduces a way to do DNS queries that's not really compatible with the old way and it's not clear to me that it offers any really big wins.

Of course, I'm not saying that DoH has no benefits or use-cases.  There are definitely cases where it can be useful and add another layer of privacy.  But it kind of reminds me of PHP "security" features like safe_mode in the sense that it does solve a legitimate problem, and does so in a way that "works" (for certain definitions of "works"), but solves it at the wrong layer and in a way that can interfere with other legitimate things.

As this blog from the PowerDNS team discusses, DoH is not a panacea in terms of privacy.  Yes, it adds a layer of encryption, and that is definitely useful in some cases.  But it doesn't do anything to address the myriad other ways in which your online activity can be tracked.

Of course, that depends very much on whom you want to stop from tracking you.  Obviously it does zero to stop advertisers or website operators from tracking you - they do their tracking at a much higher level.  It also doesn't stop your ISP from tracking you - even if everything else is encrypted, you can't stop your ISP from knowing the IP addresses you visit.  I mean, that's just how the web works.  And from an IP address, you can usually determine the website pretty easily.  And, of course, your DoH provider still has access to all your DNS requests, so you better make sure you trust them.

For me, personally, the bottom line is that DoH doesn't give you anything that you don't already get with a half-way decent VPN provider.  Granted, the VPN provider is then your single point of privacy failure, so you better make sure you pick a reputable on (I like and recommend Private Internet Access).  But a VPN covers pretty much everything you can do at the network level, not just DNS for web requests.  Of course, you still need browser privacy plugins to block tracking at higher levels in the stack, but sadly that's necessary either way.

You can reply to this entry by leaving a comment below. You can send TrackBack pings to this URL. This entry accepts Pingbacks from other blogs. You can follow comments on this entry by subscribing to the RSS feed.

Add your comments #

A comment body is required. No HTML code allowed. URLs starting with http:// or ftp:// will be automatically converted to hyperlinks.