Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.
That’s the design intent. Because not all network administration is benign.
DoH is a tool like any other. Good or bad entirely on why and how it’s used. And your own perspective on that use case.
DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
> DoH is a tool like any other. Good or bad entirely on why and how it’s used.
Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
DoH is a plague.
You can't control it as a malicious censor who's trying to control what Web sites other people's computers can access just because they're on your Wi-Fi. You can absolutely control it on computers that are actually yours.
That's not true when the just the network itself is yours. It's only true when all of the computers on it are too.
> DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
What? No it doesn't.
> Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
You're not supposed to be able to have control over what tools other people use on their own computers.
Yes you can. Do what corporate firewalls do. MITM all TLS connections with your own personal CA. Don't allow any traffic streams that you can't MITM to leave your network.
Of course, this is not the fault of DoH providers themselves - at worst, they have just made it easier to perform this.
And it's a good thing that DoH is easy, because it helps protect vulnerable people from censorship and surveillance.
I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.
> What? No it doesn't.
It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
> You're not supposed to be able to have control over what tools other people use on their own computers.
Again, I'm talking about having control over my own machines, not anyone else's.
If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.
The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.
So this privacy mechanism, in this use case, really is bad because it reduces my privacy.
They will tell you it is to defeat censorship though and to improve network resilience, because they are deeply committed to having the image of being a champion of internet freedom.
And besides, every browser that supports DoH also lets you pick what server to use, and adblocking DoH servers exist.