I find it quite exiciting tbh, the improvements seem to be far on the good side, it might help mobile users a lot (my mISP interferes with DNS to block VPN and tries to show ads if it fails to resolve an address).
Of course they'll have to work making sure that privacy is preserved and poeple outside the US don't have their data shipped of to the US.
In fact, assuming there's no deep meaningful dependence between the performance of DoH and DNS requests then ordering by the performance of DNS requests clusters all the bad DNS requests and shuffles the DoH requests randomly. It's therefore not surprising that after averaging you see a spike of bad DNS requests which is absent for the DoH requests (you're essentially looking at the quantile function of the DNS requests minus the average of the DoH requests).
Edit: unless what we're looking at is the difference of both quantile functions, but then the language describing the graph is a bit confusing and just plotting both quantile functions would have saved a lot of confusion.
The more important question is who we trust though. Currently, the DNS information where we go on the web is spread across a number of national internet service providers. In some countries, they feed this info to the NSA. In others, they may not.
This new DNS system makes everybody use a single DNS endpoint, the same one across the world located in the US.
Is this better or worse? Depends on your isp and country.
This was only the case in this experiment. From the article:
> We’re also working on privacy preserving ways of dividing the DNS transactions between a set of providers, and/or partnering with servers geographically.
That is still less different providers than can currently be used, so it is something that we should be concerned with long-term, but I don't think, it makes sense to throw the technology away. Just be concerned that there are the right kind of providers used for this.
I figure, this is become like the CA infrastructure, for better or for worse.
If I had to guess, they will likely have a heuristic where your local DNS is first checked somewhat regularly if it supports DoH, if not use the one configured in Firefox, if DoH is enabled that is.
> Using HTTPS with a cloud service provider had only a minor performance impact on the majority of non-cached DNS queries as compared to traditional DNS. Most queries were around 6 milliseconds slower, which is an acceptable cost for the benefits of securing the data. However, the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.
These days,credential and PII theft phishing is a huge concern. Without intercepting https,the only way to know if a user went to a phishing site is by logging DNS or relying on SNI(SNI encryption is being developed as well).
Though I will say inspecting DNS for phishing protection is like watching your front door to catch a burglar.
In essence,defenders need to monitor for and block attacker infrastructure.
Shame on you for making studies like this opt-out. Look, I get that making it opt-in would reduce your sample size but this kind of thing isn't acceptable for a browser that's supposed to respect the user -- you're literally using dark patterns. Expressed consent should be the standard.
You're targeting Nightly users, the very people who know enough to make an informed decision as to whether they want to participate in the study, please just let us make an informed decision. Have a big modal pop-over when the browser starts, explain the experiment and give the user an unbiased choice -- don't select participate by default, don't make the decline button gray and sad, don't shame the user with the decline button text. I would have been excited to participate.