To add to this issue from a personal level: for those who use a Pihole or operate other internal services from within their own home network will now have to change the settings for _every application_ using DoH on that network.
This could become a major hassle if the number of devices and owners become large. There's not even a work around for this because I do not directly manage family members' devices (nor would they want me to).
I really like Firefox for they are the only real option these days. I use it and I encourage all those around me to use it. This change will require me to do a lot more manual work and likely lead to confusion over whether a service is down or not.
How far off are we from DoH being supported by common operating systems, DHCP, etc?
It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Honestly, all these apps shouldn't even bother detecting for DoH or not. If people want to use DoH they can set up their own local resolver and configure their network for it (and for folks on Windows, that could even be packaged third-party).
The reason browsers are interested in including DoH is to protect users who don't even know this is a problem, and definitely aren't going to set up their own resolver.
> How far off are we from DoH being supported by common operating systems, DHCP, etc?
To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Yeah. Good luck diagnosing that when something stops working as expected.
> To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
Huh? Of course people do this, it's a standard way to do DNS that improves over older DNS wire protocols by offering better security properties. It's unfortunate that we had to involve HTTP in this, but needs must.
For example you can drop in an NSS replacement that uses DoH instead of conventional DNS for all your glibc software, or you can get software from a variety of sources that runs on UDP port 53 of your local machine like a normal DNS relay but uses DoH to someone trustworthy to deliver.
> DNS should be a system-level setting, not an App-level setting.
I would go even further: Any app trying to bypass the system-level network settings (like with DoH) should be considered malicious and possibly malware.
This is what spam-bots used to do back in the days. Now let’s add Firefox to the list.
Having a pihole still doesn't prevent applications from using another resolver - for example dig example.com @8.8.8.8
You'd also need to block all other DNS traffic. And even after that, it's tricky, as applications that are not a browser might be doing this with a hardcoded DoH provider.
There’s a way to redirect any port 53 traffic back to your pihole if you have enough control over the gateway, but I don’t know if it’s worth doing. Breaks a bunch of things you’d normally do to debug whatever.
Been doing this a few years, after seeing lots of apps and devices using 8.8.8.8 despite being given my resolver back via DHCP (so obviously hard-coded into them and they’re ignoring os dns.)
No practical drawbacks so far, although I have found many “open resolvers” online from my home, only to realize it’s the redirection messing things up.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
In which case these applications are either broken or malware.
The application needs to fix that by using DNS supplied by the OS, as everyone should do.
This could become a major hassle if the number of devices and owners become large. There's not even a work around for this because I do not directly manage family members' devices (nor would they want me to).
I really like Firefox for they are the only real option these days. I use it and I encourage all those around me to use it. This change will require me to do a lot more manual work and likely lead to confusion over whether a service is down or not.