
DNS-over-HTTPS (DoH) Update – Detecting Managed Networks and User Choice - bzbarsky
https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/
======
badrabbit
A thing I recently noticed about cloudflare's DoH resolver: It is already
being classified as "Anonymizing tools" and similar categories by several
companies,leading to a succesful block.

Perhaps using an inconsistent IP and being able to use _any_ cdn/cloud IP(by
including it as a subject in the cert) coupled with SNI encryption might help?

I am split about the subject myself but I prefer upstream DoH resolvers to be
hard to block. If I want to intercept DoH I can always provide an internal
resolver.

~~~
vetinari
If you just up the ante in managed networks, you will end up with two choices:

a) https proxy, custom CA certificate and filtered DNS anyway, or

b) no internet access.

I would rather not end up that far. Just internal resolver won't help you,
when the apps (not systems, apps) are ignoring it.

