DNS-over-HTTPS (DoH)

mozerd · March 14, 2021, 12:12pm

The DNS-over-HTTPS (DoH) protocol is not the privacy panacea that many have been advocating in recent months.

If we are to listen to networking and cybersecurity experts, the protocol is somewhat useless and causes more problems than it fixes, and criticism has been mounting against DoH and those promoting it as a viable privacy-preserving method.

The TL;DR is that most experts think DoH is not good, and people should be focusing their efforts on implementing better ways to encrypt DNS traffic – > such as DNS-over-TLS > – rather than DoH.

WHAT IS DOH AND A SHORT HISTORY

Interesting antidote: recently I had a call from one of my clients who had implemented DoH on his Router [not a Tik] and he asked me to investigate why when DoH is turned on his Router he would lose his IPTV connection … When DoH is tuned on his IPTV works for a while until his ISP reboots his IPTV gateway then no TV until he turns DoH off on his Router. Yes this is repeatable. So I tested this on a Tik with DoH and sure enough the very same behavior. Apparently the IPTV provider’s set-top boxes [Rogers in Canada] does not like encrypted DNS … yep – investigating this now.

IMO, DoH on browsers is the proper approach but not on Routers … on Routers DNS-over-TLS is the proper approach , MikroTik should remove DoH Router support and implement DNS-over-TLS

Znevna · March 14, 2021, 9:26pm

Your blacklist can’t fix DoH? Weird.
I thought a blacklist fixes everything.

msatter · March 15, 2021, 6:57pm

That is why you should only use DoH in countries that supress free speech. It is not for usage in normal situations.

Here in the Netherlands we should start thinking about using it, due to the repression that is going on right now.

mozerd · March 15, 2021, 7:47pm

DoT supported on the Router is the better approach than DoH … however DoH is better than nothing

I fixed the IPTV issue by segregating the IPTV broadcast on its own VLAN and using other DNS service for that VLAN , this works well.

BTW, Free Speech is becoming an issue in Canada and the USA … they call it Political correctness and are passing LAWS that restrict free speech. The day will come when those [like me] will revolt against this political bullshit.

msatter · March 15, 2021, 9:07pm

I endorse and use myself DoT. This because in a network using this way of resolving in visible to the administrator without allowing the admin to see the content. DoH is a stealth way and as admin you can’t cut that out without cutting in normal HTTPS traffic.

The IP addresses of DoH servers can be blocked but then it will be a cat a mouse game.