
Big ISPs aren’t happy about Google’s plans for encrypted DNS - Deinos
https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new-chrome-feature-will-stop-them-from-spying-on-you/
======
kelnos
While I don't particularly trust Google all that much anymore, the fact that
ISPs even have an _opinion_ on this is a smoking gun that they're doing
sketchy things with DNS data. There is no actual technical reason why they
should care if you use their DNS servers or something else, even a private,
encrypted DNS service.

~~~
z9e
They definitely are. I know for a fact that they are running massive Hadoop
clusters storing information on DNS records involved in their customer
traffic. If I recall correctly they mirror a lot of the traffic to analytics
environments.

~~~
gnu8
I wonder why someone who knows how to do any of that, would think it is a good
idea or go along with implementing that. The shitbirds who actually want to do
this type of thing are not smart enough to execute it.

~~~
etaioinshrdlu
To make money on analytics?

~~~
jdironman
He is speaking of the developers and engineers who have the technical
expertise and should know it's a bad idea but still agree to implement it
regardless of their moral compass.

~~~
tidepod12
Why the implication that devs/engineers who have such technical expertise
"know it's a bad idea"? There are _plenty_ of devs and engineers who would
have no moral issue with mass data collection and analytics. You don't
magically become a paragon of morality just because you got a CS degree. Just
ask Zuckerberg.

~~~
Trisell
I’m working at a company and they want to do a massive amount of logging from
our companies IOS app. Basically log everything in the name of security. I
made the statement today what does legal think about the data we would be now
storing? It has user locations, gps coordinates, all the other fun stuff you
can get from a users phone. They all looked at me like I was crazy for even
asking that question. And I don’t think a single person in the room the devs
included had even though about the personal data we were going to be able to
collect. And if we SHOULD be collecting it.

~~~
janvidar
If your company does business in the EU, or has users within the EU then the
GDPR kicks in.

The legal department would care about that.

------
daedalus_j
I'm fine with encrypted DNS as long as it's from _my_ router to the
(encrypted) DNS provider of _MY_ choice.

Interference from browsers with network level operations is my real worry. As
far as I'm concerned, as long as the browser speaks HTTPS to my router, and my
router speaks HTTPS to the servers, no problem. I'm worried about the "to
protect the users we've hijacked their DNS directly via the browser"
possibility though.

I know it used to be that using ISP DNS servers gave you access to some of
their local caching and such. I don't hear that talked about much in these
discussions. Is that no longer a thing, and thus we truly don't need ISP DNS?

~~~
tptacek
If you're on a mainstream US ISP, interference from your browser with your
ISP's "network level operations" is a privacy necessity. They're passively
monitoring DNS to collect data on their customers and hijacking it to send
users to advertising sites. ISP DNS is manifestly untrustworthy.

~~~
daedalus_j
Well no, because my router is proxying DNS requests, and it's not to my ISP's
DNS servers. (It's also serving a number of custom DNS records for
internal/work stuff.)

I don't understand how trading one ISP for another (Cloudflare?) is an
improvement long-run. The system itself needs to be resilient, not just depend
on the kindness of the upstream gods.

~~~
olliej
DNS requests are transmitted in plaintext through the ISPs connections.
Because DNS is not remotely secure there isn’t any reason they couldn’t simply
redirect your selected DNS to their own, or replace “not found” responses with
a link to their own advertisements.

So without DoH an ISP knows everything you request, even if you have a
different DNS server set, and if they really wanted to they can simply hijack
any connection you make.

~~~
daedalus_j
It's a good point, but it is preventable by the network admin. For example, I
bypass that by tunneling everything out over a VPN, and the local resolver
attempts to use HTTPS to connect to upstream anyway. Obviously not every user
is in a position to protect themselves in such a way, so I get why the browser
is attempting to protect them.

Just seems very wrong to me to take the control away from the user/network-
admin in any way. I mean, if you're gonna do it, go whole-hog. Delete HTTP
from the browser entirely, right? I don't think that would go over well
either, although it could certainly be justified by the same logic.

Maybe I'm misunderstanding something about the issue, there has been a fair
bit of FUD, but I simply don't feel good about the browser taking authority
outside it's "please render this code into a webpage" scope.

~~~
comex
> Delete HTTP from the browser entirely, right?

It’s not being _deleted_ , but Chrome at least has been gradually phasing in a
warning in the address bar whenever you visit an HTTP site. [1] (Firefox will
apparently do the same starting soon.) I wouldn’t be surprised if the warning
UIs get more aggressive a few years down the line, as HTTPS adoption continues
to increase.

[1] [https://blog.chromium.org/2018/05/evolving-chromes-
security-...](https://blog.chromium.org/2018/05/evolving-chromes-security-
indicators.html)

~~~
tialaramex
Firefox currently shows a red crossed out padlock for HTTP sites with form
elements, but not yet for HTTP sites without form elements which for now get
neutral treatment. The rationale is that you definitely shouldn't be using
insecure forms, what could you possibly be writing where you really don't care
about at least confidentiality (to prevent eavesdroppers from reading it) or
integrity (to prevent a MitM from changing it) ?

If you set HSTS and then subsequently remove HTTPS from a site it should (will
for Firefox, kind of for Chrome) brick wall you, saying that it isn't able to
reach the HTTPS site without offering to let you see the insecure and perhaps
compromised HTTP site even if you spell out the HTTP URL.

Unlike HPKP this isn't considered a foot gun because you can fix it by just
enabling HTTPS, and why didn't you have HTTPS anyway?

The biggest forward pressure for HTTPS is that newer protocol versions (after
HTTP/1.1) do not in practice exist for plain HTTP. The way to do plain HTTP/2
is documented but nobody has plans to implement it, and there isn't even
intent to document a plain HTTP/3 because the stuff it's built on is all
encrypted from the ground up. From my point of view this is good news.

------
untog
I'm usually very skeptical of Google's plan for anything, but if it's pissing
off big ISPs then sign me up.

~~~
dodobirdlord
Google's plans usually have carefully laid out technical justifications, and
are mostly kinda boringly/obviously good, like QUIC/HTTP3. That you're usually
skeptical of any plan coming from Google suggests that your skepticism is
miscalibrated.

~~~
dogecoinbase
Here's a twitter thread worth reading, from the former VP of the Firefox
group:
[https://twitter.com/johnath/status/1116871238922776576](https://twitter.com/johnath/status/1116871238922776576)

It's easy to make proposals that incrementally increase user security while
simultaneously increasing one's own ability to consolidate and exploit user
data. Technical appeal needs to be evaluated with a simultaneous critical eye
to social impact (QUIC is a perfect example -- it outcompetes TCP on an
equivalent link, and falls apart over variable-latency or highly unreliable
connections, like those that exist in developing nations -- but of course,
Google doesn't care about those audiences).

~~~
deadmutex
> developing nations -- but of course, Google doesn't care about those
> audiences

Do you have a citation for your claims? There is plenty of evidence to the
contrary: [https://www.blog.google/technology/next-billion-
users/](https://www.blog.google/technology/next-billion-users/) .

------
Santosh83
What I _fear_ will happen in several years is that local ISPs will also begin
offering DoH by default (if you can't beat the competition, join them) and
continue snooping on your traffic, just like Google or Cloudflare could do now
technically, if they wanted to. Ultimately this boils down to which entity you
trust more, your ISP or some other provider. Today Google/Cloudflare et al are
by far the more trustworthy options for DNS at least. But this may not remain
forever this way. The price for privacy/security is eternal vigilance,
something end users don't (or can't) want to do.

~~~
topranks
Why would you _fear_ ISPs offering an encrypted service? It’s hardly a step
backwards?

DoT would be preferable to DoH (no additional metadata / cookies,) but either
way ISPs should adopt encrypted DNS.

You are correct it boils down to “who you trust.” In my country the ISP wins
hands down over a foreign mega-corp so I end up making a different decision to
you.

The key thing is that is a choice for users, not something software just does
without knowledge of what’s going on.

~~~
pornel
Because DoH is supposed to hide the DNS traffic _from ISPs_ (among others).
Sending the DNS traffic straight to the ISP defeats the purpose of it. That's
like MITM on the first hop.

~~~
doikor
But the default state is to use the dns provided by your isp so nothing really
changes.

------
profmonocle
> the company has no plans to switch Chrome users to its own DNS servers.

Meanwhile, the Chromecast inexplicably ignores DHCP/NDP-provided DNS servers
and uses 8.8.8.8 for all queries.

~~~
the_pwner224
Even worse - it will disable itself if it cannot connect to 8.8.8.8.

[https://news.ycombinator.com/item?id=19170671](https://news.ycombinator.com/item?id=19170671)

~~~
onlingyding
I don't think that's true anymore. I've blocked my Chromecasts accessing
Google's DNS servers and then just fall back to the ones from DHCP.

------
Crazyontap
I may not have the technical expertise to understand this fully but right now
I'm doing adblocking by using adguard's DNS IPs in my router (1).

It kinda works everywhere but for some apps like Chromecast I have to null
route two IP addresses (8.8.8.8 and 8.8.4.4) otherwise it doesn't work. Those
are both Google's IPs afaik.

So my question is: will I be able to keep doing it after this? I am asking
because I am extremely suspicious of Google these days and wondering if they
have an ulterior motive to prevent users from doing such host based adblocking
in future?

(1) [https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)

~~~
ekimekim
Yes, 8.8.8.8 and 8.8.4.4 are Google DNS resolvers. Sounds like your Chromecast
has them hard-coded instead of respecting your locally configured DNS.

In comparison to your current position, where you're black-holing the hard-
coded addresses and the app is falling back to your configured DNS: yes you
will be able to continue doing that, assuming the Chromecast will maintain the
same fallback behaviour. The exact addresses you need to block and the
protocol/ports you need to block may change (eg. to port 443 tcp instead of
port 53 udp).

The big thing that DoH will prevent is something that you aren't currently
doing, which is: instead of null-routing 8.8.8.8, you could be _intercepting_
DNS requests to 8.8.8.8 and responding to them yourself. You would need to do
this if the chromecast didn't fall back to using your proper DNS server. DoH
will prevent this kind of interception, so your only choices are to allow it
through or block it. And if the Chromecast then refuses to fall back, then
blocking it will make the device not work, with no viable workaround short of
replacing the firmware.

The goal of DoH is ultimately to prevent your ISP doing the exact same thing
to you, ie. intercepting (or just listening in on) your DNS requests even when
you want them to go elsewhere. Unfortunately, there's no way to prevent the
same protections from extending to a malicious local device trying to
circumvent you on your local network.

~~~
judge2020
The reason for 8^4 being used for "can I connect to the internet" is valid
since the DHCP DNS might be an internal router that's up even when the
internet is unreachable; why it's being used for all DNS queries is less
defensible. How long till it uses DoH to
[https://dns.google](https://dns.google) ?

------
deckarep
Haha Big ISPs...there’s absolutely no reason why regular HTTP
requests/responses should be TLS encrypted while DNS queries should not...they
go hand in hand for maintaining end-user privacy and YOUR integrity.

~~~
GhettoMaestro
"Going blind" is a term I've heard recently when talking with operators. Where
as "going dark" referred to the DOJ/FBI's term for ubiquitous encipherment of
the content, "going blind" refers to the metadata (DNS in this case).

My view is pretty basic: If I can see your DNS, I can pretty much guess on a
very short list what kind of [browsing] behavior you are engaging in.

~~~
joewee
You don’t have to guess. You can actually see it.

What you can infer is why and who. Which is the real danger. I would trust
google to protect sensitive data like sexual preferences before I trust my
ISP.

~~~
GhettoMaestro
It all depends how much is abstracted behind a common host (eg name based
virtual hosting). I can see you are going to Google. But I don't know what
within Google you are really accessing or using in most cases.

------
andrewla
It's pretty clear that the ISPs drafted their letter before Google made it
clear that they would not be forcing the transition to their own DNS servers.
The complaints are entirely about centralization.

Google has attempted to allay some of these concerns, but their initial blog
post [1] makes it lear that only certain whitelisted DNS providers would be
permitted to participate. That does imply a degree of centralization
regardless of Google's assurances to the contrary.

[1] [https://blog.chromium.org/2019/09/experimenting-with-same-
pr...](https://blog.chromium.org/2019/09/experimenting-with-same-provider-
dns.html)

------
gigatexal
If this prevents ISPs from making even a penny on data mined from DNS queries
of their users, even in an aggregated and anonymized manner then so be it
because ISPs are supposed to be dumb pipes. And there is nothing creepier than
someone mining what I search for. Just fulfill the contract of giving me the
internet for my 75USD a month.

------
l0b0
Is there a way to set up a big list of round-robin DNS servers in Linux, to at
least minimize the amount of navigation history any one DNS provider knows
about you?

~~~
tyingq
Unbound can be configured as a local caching forwarder that round-robins to
your list of resolvers.

[https://gist.github.com/MatthewVance/5051bf45cfed6e4a2a2ed9b...](https://gist.github.com/MatthewVance/5051bf45cfed6e4a2a2ed9bb014bcd72)

------
pulse7
With the statement "could interfere on a mass scale with critical Internet
functions, as well as raise data-competition issues" they are actually lying
and misrepresenting the issue. In reality there is not much "to interfere" \-
especially not so much, that you would need to contact the Congress...

------
Unklejoe
I guess this means no more DNS based ad blocking for devices like the
Chromecast which ignore the DNS info provided by DHCP and are instead hard
coded to use Google’s server?

------
gudok
How exactly encrypted DNS will reduce spying? ISPs will still be able to
observe IP addresses users connect to and even particular host names in SSL
handshakes.

~~~
NicolaiS
Due to shared hosting you can't map every IP to a hostname, and encrypted SNI
is a thing.

~~~
lilsoso
But the ISP can likely map most of the IPs to hostnames, as one would expect
shared hosting to only be used for smaller sites.

------
xvector
Death to big ISPs.

~~~
tbyehl
Death to PiHole and every other DNS-based ad block and security system. At
least, by Mozilla's plan.

~~~
shakna
PiHole supports DoH [0], via the cloudflared daemon. This won't change
anything.

[0] [https://docs.pi-hole.net/guides/dns-over-https/](https://docs.pi-
hole.net/guides/dns-over-https/)

~~~
dcow
This is incorrect. Mozilla is ignoring your os/dhcp configured server and
using Cloudflare. Your PiHole no longer sees the traffic.

There is a way to configure your network to make Firefox not do this, so
that's good. But it's not the default.

~~~
tomschlick
Thats also false.

Mozilla added a canary domain (use-application-dns.net) that if blocked will
default to the local dns resolver. There are several threads in the pihole
community about blocking it by default so I expect that will be done before
mozilla turns int on for the masses.

~~~
dcow
> There is a way to configure your network to make Firefox not do this, so
> that's good. But it's not the default.

That’s what I’m referring to.

------
aschatten
Google defaulting to ignore system settings and use Google DNS server is an
issue.

But it's cute how ISPs are trying to mash deploying of DoH support and default
to Google server into one issue.

The last paragraph absolutely seems like fearmongering:

 _Moreover, the centralized control of encrypted DNS threatens to harm
consumers by interfering with a wide range of services provided by ISPs (both
enterprise and public-facing) and others. Over the last several decades, DNS
has been used to build other critical internet features and functionality
including: (a) the provision of parental controls and IoT management for end
users; (b) connecting end users to the nearest content delivery networks, thus
ensuring the delivery of content in the fastest, cheapest, and most reliable
manner; and (c) assisting rights holders’ and law enforcement’s efforts in
enforcing judicial orders in combatting online piracy, as well as law
enforcement’s efforts in enforcing judicial orders in combatting the
exploitation of minors. Google’s centralization of DNS would bypass these
critical features, undermining important consumer services and protections,
and likely resulting in confusion because consumers will not understand why
these features are no longer working. This centralization also raises serious
cybersecurity risks and creates a single point of failure for global Internet
services that is fundamentally at odds with the decentralized architecture of
the internet. By limiting the ability to spot network threat indicators, it
would also undermine federal government and private sector efforts to use DNS
information to mitigate cybersecurity risks._

I don't see how IoT management is going to be affected by DNS resolution made
by a browser. CDN's DNS server in any case sits upstream and should be able to
perform needed optimization. Google's or any other US DNS provider is not
exempt from complying with the US law and court orders.

------
danmg
There have been several articles in the past few days whinging about both
mozilla and chrome incorporating DNS over TLS. Someone seems to be REALLY
unhappy about this and those people seem to be trying to use the press as a
microphone.

It seems like it's touching a nerve and advertisers and governments are really
sweating losing their ability do low effort snooping.

------
btgeekboy
Something I’ve wondered: It isn’t quite clear from the various articles how
they’re doing this monitoring. I can totally see how they could monitor their
own caching resolvers. They might even passively monitor popular internet
resolvers (1.1.1.1, 8.8.8.8). But if I run my own caching resolver at home, is
that data being mined? I am aware it’s unencrypted and possible to do so, but
is it actually happening? DoH sounds nice, but it brings me back to using a
shared caching resolver which I’m not a huge fan of.

~~~
jnwatson
Your resolver still makes DNS requests that the ISPs snoop. Unless that
connection is encrypted, they have the same info as if you used the ISP’s
servers.

------
myrandomcomment
I am a bit stuck here. I know it is a bit insane, but I run a simple system at
home because I think, so if I drop dead tomorrow how is my wife going to sort
this. If I am dead, internet still needs to work so my kid can do her home
work. So despite my geek love, I do not run my own DNS, etc. the other part is
I use unblock-us so iPlayer (BBC) works here in the US. I would love to set
everything up so everything is encrypted but ... yah. Sorry depressive.

~~~
zupa-hu
That sounds backwards. You sure that will be their biggest concern if you drop
dead? They can always throw out your weird techy stuff and buy some cheap
commodity solution and get them installed.

Your reasoning sounds like, I'm not going to do breakfast for my family,
because, ya know, if I drop dead, they will miss the breakfasts.

~~~
dragonwriter
> You sure that will be their biggest concern if you drop dead?

That it's not their biggest concern doesn't mean that it won't be _a_ concern,
nor did it mean that it's not something he can avoid becoming a concern.

~~~
myrandomcomment
Correct. We have life insurance. We have a trust. All the normal stuff you do.
What I am looking at is what are the things that I do / maintain for the
family and how will that be handled if something happens? Having an overly
complex technical setup is one of the areas on that list. My death would of
course have the normal emotional impact it would have for any family. I am
trying to make sure that everything else around it that I can sort, I do. My
daughter works hard everyday at her schooling because she is determined to be
a doctor. My job as a parent is to give her everything I can to make sure she
is happy and successfully in her life for as long as I can. The is the promise
I made when we had her.

Some of the comments here are taking the piss...let see how you feel when you
hold your baby for the first time.

Btw, for context, in the last 3 years I have had perfectly heathy friend that
was in perfect shape drop dead from unexpected heart issues at 38. He had 3
kids. Another friend with 2 kids was killing in a car wreak at 44. Looking at
the things their family’s have had to deal with is the reason why I am
thinking about this.

~~~
zupa-hu
Sorry to hear.

Look, I did not want to insult, sorry if it came across like that. I just
wanted to point out that _in this specific instance_ you may exaggerate the
cost of switching from your weird techy stuff to a commodity solution.

That doesn't say anything about your general principle - which is totally
reasonable.

------
scoutt
Does this mean that ad-blocking HW/SW that uses DNS to filter remote sites
(Pi-Hole?) will stop working?

That's the only reason I see Google will try a move like that.

------
alex_duf
It sounds a lot like a non issue.

If providers want to keep vacuuming personal data they can provide DNS over
HTTPS and they'll capture the same amount of data.

------
nimbius
Strange these isps seem to have entirely ignored pihole, which for me is
blocking around 30% of my DNS queries and overrides ISP DNS servers entirely.

~~~
tomjakubowski
Your ISP, by virtue of supplying the pipe to the internet, can (and very
likely does) still snoop on any old-fashioned plaintext DNS requests you make
across it, even when you're not using their servers.

~~~
darklajid
I might have misread the GP, but I kinda felt that it also brought up the
issue that a pihole (or similar solutions) might cease to work in a "DoH / I
automatically pick the best resolver if I deem yours not good enough" world.

DNS privacy is awesome. Filtering malicious and annoying (read: ads) content
at the DNS level is mandatory for me..

~~~
kccqzy
I don't think how that would cease to work. At least in the case of Mozilla
they try to detect if you have a custom DNS server. When found, they won't use
DoH for fear of breaking many intranets in enterprises.

------
decksta19
At the request from some less technical friends I cooked up a solution for
using encrypted DNS and Pi-hole together nicely wrapped in a docker-compose
config that supports both x86_64 and ARM (RaspberryPi) deployments.

[https://github.com/benke/docker-dnscyrpt-
pihole](https://github.com/benke/docker-dnscyrpt-pihole)

------
knorker
Frankly the ISPs can go fuck themselves. They're a bit too comfortable in the
role of bullying gatekeeper to the Internet.

------
sys_64738
> DNS over HTTPS means ISPs can’t spy on their users

The ISP can still do a reverse look up of the IP address to see where the
traffic is going.

~~~
nimbius
reverse lookups for things like AWS hosted or cloudflare hosted sites would be
a miserably futile effort.

------
throwaway242625
I work for a large retailer ecommerce office and over the years found the
business purchase huge lists of subscriber names plus domains from ISP
customer browsing. Att and Verizon selling that I know about, maybe more that
I dont know. With the amount of money involved that Im sure they aren't happy.

------
Havoc
>Firefox[...]whether or not their existing DNS provider supports it.

Wait what? Hows that gonna play with my existing pihole setup?

~~~
judge2020
As I understand it, you'll have to manually opt-out in firefox

------
Havoc
>Big ISPs aren’t happy

As my mom said - if you cry enough to fill a tank I'll buy you a goldfish.

------
zecg
Google probably isn't happy I won't be using their encrypted DNS, either.

~~~
kmlx
no, but the ISPs and your government are very happy about your decision.

------
jedisct1
Yandex Browser has been supporting encrypted DNS since 2016....

------
Tepix
I guess everyone who cares about privacy should run his own DNS server/cache
somewhere on the internet. Same as mail, really.

~~~
Wheaties466
How does that help at all? You're upstream DNS requests would still be
unencrypted when they are forwarded to the root servers.

~~~
Tepix
The upstream DNS requests to the authorative DNS servers are unavoidable at
the moment so you achieve a minimum of privacy invasion.

------
techslave
“data competition”. lol. the ISPs are literally complaining that google will
now have the DNS data, _and they won’t_.

~~~
hobbes78
> google will now have the DNS data

It wont necessarily be Google... From what I understood from the article, if
you're currently using OpenDNS, Cloudflare DNS, etc., after the change you'll
still continue to use them, only the protocol used to access them will
change...

------
musicale
Although it's going to spark an ISP anti-privacy arms race, this demonstrates
why encrypted DNS is necessary.

------
ivl
Thankfully, ISPs being upset about it is a really good way to determine if
it's a good thing.

------
foobiekr
If ISPs are against it I am for it. I’ve worked in the SP market for 15 of the
last 20 years.

------
Schnitz
All we ever wanted was a dumb fat pipe. All we ever got was triple play. No
pity.

------
KaiserPro
In the land where GDPR exists, I can see why ISPs are a little annoyed.

Directing users to local CDN instances has now got harder, which means its
going to cost more for things like netflix

In the US, yes, that means that ISP can't mine youre data, however, you are
handing more information to google.

------
salmaanp
I see news about DNS every single day now!

------
isaikumar
This is a boon for Indians.

------
ggm
In many economies, ISPs have legal immunity from acts done by users
(customers) because of laws associated with 'common carrier' status.

But that status is fragile. The ISP has to act like it knows its obligations
in law, and there are things ISPs have been doing to work with LEA for a long
long time, which they won't be able to do as simply, or as well, or in some
cases at all.

As a customer its easy to assume the _only_ answer is "good" but in fact, its
more complex. Society depends on law, and the application of law around what
people do online is not trivial, and does not reduce down to 'all snooping is
always bad all the time' -Warrants exist to do things, and warrant canaries
are a reaction to them but not one which says warrants don't exist: they say
silent warrants should not be obligated on the receiver of the interception:
They're a position on secret law, not a position on law in itself.

TL;DR DoH and DoT are challenging established law in telecoms and big ISPs who
have common-carrier defence depend on interception in DNS and DPI and the
like, to perform their role facing LEA demands from the state _which in many
cases are entirely normal and justified_

Not all DoH and DoT stories are good stories for society at large.

Please don't reduce this to a libertarian vs everyone else debate, I would
invite you to think about what an ISP is, and what we want from ISPs as a
whole, not just as customers seeking pirate bay, but as a society investing in
a telecommunications-rich future.

The first casualty of war is the truth. The second (in WWI and WWII) was the
deep sea telecommunications cables.

~~~
zamadatix
DoH and DoT are just new delivery technologies. You've always been able to
securely tunnel your traffic out of the country and you always will as it's
trivial. DoT changing the resolver from one public company in the to another
public company of the will not prevent the government from issuing warrants,
particularly since they already issue warrants to these companies as it is.

Common carrier defence is not going to be lost from encrypting URLs, the same
FUD was spread about encrypted banking then the encryption of most websites.
The only thing that has resulted from the increase in encryption is the
decrease of ISP injected ads and the decrease of customer tracking information
being sold.

~~~
ggm
There is a volume of ability north of 95% which could be lost, and the ISP has
a mechanism to act (block DoT) but in DoH, its less simple. Hence, the liaison
between Mozilla and Google, and state authorities.

Why do you think Mozilla turns this on selectively?

------
PaulHoule
From Google's perspective being able to block ads with your hosts file is a
bug, not a feature.

~~~
cameronbrown
Perhaps. I personally would still setup DoH at the router level. ISPs begone.

~~~
aomix
Would a local DoH server making going between different networks a little
clunky? I have unbound handling dns at home but the old way lets the network
define where to get dns information and/or allow for multiple options. Seems
like Firefox doesn't have that flexibility yet.

------
chvid
Google wants the whole internet to go through them. Starting with the bloody
DNS ... nice plan ... probably needs quite a bit lobbying and bad-mouthing
other actors to succeed though ...

Absolutely. You can find a dishonest ISP. The difference is that there are
thousands of them. And not just one big opaque entity.

~~~
freyr
They're not moving anybody to Google's own DNS servers. If your current DNS
provider offers encrypted service, they'll begin using that.

 _Starting with version 78, Chrome will begin experimenting with the new DoH
feature. Under the experiment, Chrome will "check if the user's current DNS
provider is among a list of DoH-compatible providers, and upgrade to the
equivalent DoH service from the same provider," Google wrote. "If the DNS
provider isn't in the list, Chrome will continue to operate as it does
today."_

