This is false, and downright dangerous information. A network attacker can still see that you are visiting pornhub.com even with DoH, since you are sending the hostname in cleartext as part of the TLS handshake.
Google isn't a snake-oil security solution - they shouldn't be making such false claims.
This won't be true as soon as ESNI gets implemented. (Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=908132 and Firefox nightlies have it already). However, ESNI is pretty meaningless if you're making plain-text DNS requests, so DoH is a pretty important part of the puzzle.
Working out what website I'm browsing by doing packet analysis between my client and an IP address is vastly more difficult than just reading "www.pornhub.com" out of the SSL handshake. Despite what you think, it's not "pretty easy".
Just because a security control doesn't mitigate all risks against all threats doesn't mean it's not useful.
Like, build a prototype, show it works for some set of things Cloudflare offers over eSNI today.
Otherwise this claim is hollow. If it isn't more difficult then it sure is weird that nobody does it.
Let us know how expensive "not more difficult" ends up being. It'd be great to know that DoH plus eSNI made things "Not more difficult" by say $5M per target. I'd call that more difficult but I know you disagree.
So we've transitioned from telling our ISP that we're visiting Pornhub, to telling our ISP and some American corporation. Great move.
What's your solution to this? Put every website behind Cloudflare?
How do you know this? Do you work for them? Is that true for all time in the past and the future?
Some 5 second basic investigation.
"Do you work for them?"
"Is that true for all time in the past and the future?"
No. So what? What part of my argument don't you understand?
Also, given the reduction in privacy I just demonstrated above, what's your solution? I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?
However, the reality that a large number of domains are on shared IP addresses, because they're either on some sort of CDN, or are using some sort of cloud-based load balancer etc. For these sites, ESNI certainly will make a difference. I'm not interested in an absolutist argument about how "thing" is useless because it doesn't work for a specific case. Don't let the perfect be the enemy of the good.
> Also, given the reduction in privacy I just demonstrated above
You've not demonstrated any reduction in privacy. "Privacy" as a bare concept is pretty meaningless - Privacy from whom? If I choose to give my DNS data to Cloudflare, that's my choice. Passing plaintext DNS traffic and hostnames on the wire removes my choice to restrict who I expose that data to.
> I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?
People have been sharing IPs on domains long before Cloudflare was invented.
You need to replace "won't help", with "makes matters worse" for that to be correct.
> "However, the reality that a large number of domains are on shared IP addresses,"
Also, the reality is that a large number of domains are not on shared IP addresses.
> "You've not demonstrated any reduction in privacy"
Incorrect. It's pretty straight forward:
1. Shared IP before ESNI: Increases the number of companies that get to see which website I'm visiting.
2. Non-Shared IPs before ESNI: Increases the number of companies that get to see which website I'm visiting.
3. Shared IP after ESNI: Changes which company gets to see which website I'm visiting.
4. Non-Shared IP after ESNI: Increases the number of companies that get to see which website I'm visiting.
1, 2 and 4 are all making matters demonstratably worse. 3 only makes matters "better" if you think that Cloudflare is a better custodian of your browsing data than your ISP, which is not always the case now, and will not always be the case going forwards. And until ESNI is in place, we're stuck on 1 and 2. So in the short term, Mozilla are definitely definitely making things worse for their users.
> People have been sharing IPs on domains long before Cloudflare was invented.
Also, people have been not sharing IPs on domains longer before CLoudflare was invented, and will continue to do so after DOH is the default. So lets drop this "ESNI will fix it" argument, as it doesn't work unless we centralise the web.
Both DoH+ESNI will make me more secure and private. Here's why:
Today my home ISP has deployed middle boxes that inspect my traffic to profile my browsing habits and serve me ads. They serve ads by doing click hijacking on plain http websites. yeah, it's nasty and they do it at a huge scale.
Obviously, we have some legislative gaps to address here.
Irrespective of the legal gaps, I can make it more expensive for them to do this by ensuring all of my traffic is fully encrypted (TLS 1.3 or wireguard).
They can still see IPs and do IP reverse lookup and traffic timing analysis etc. But the information leaked this way is far lesser than today and definitely not actionable immediately the way it is today.
Now, w.r.t making some companies more powerful – that is not inherent to DoH. DoH makes it possible for anyone to operate a secure and private resolver and any client is still free to choose who should be their upstream dns resolver. Client auto configuration protocols will evolve to support the ecosystem as more DoH resolvers show up.
However this claim could be true in the future if/when Encrypted SNI (ESNI) for TLS 1.3 is deployed. Although ESNI is at the draft stage  and to the best of my knowledge is not at a deployable stage yet.
However it might be finalized and deployed by the time DoH for Chrome is finalized too ?
People are upset about Firefox's new default of routing DoH to Cloud Flare, and I understand why. But it's useful to keep the issues distinct: DoH is a good thing (your ISP should not be able to see your DNS queries), even if routing them to Cloud Flare isn't.
It seems interesting that the article and many comments here identify the application level as inherently wrong and the OS level as inherently right.
What if you were running docker containers on a server?Is it incorrect for the containers to set their own resolver settings?
For generic containers, it is. If you build your own very customised app, then sure, you can control what it does. But if you build an app, you don't know where/how I deploy it. It may be without internet access. It may be expected to use private DNS zones. It may be expected to query mdns. The container should not guess or assume those things.
That said, I also think that there’s no absolute truth for what constitutes a “specialized use case”. I think if I’m the operator of a network, or a computer, or a container, or an application, having it use custom DNS settings is up to me. And Firefox/Chrome enable that: the operator can change the setting to whatever they want.
Speaking to the default case, Firefox/Chrome moving towards DNS defined at the app layer smells painful to me as a network operator, but ISP DNS interception also smells to me, and for the normal consumer threat model and network topology, Firefox/Chrome using CloudFlare DNS is essentially pure win. Most consumer users aren’t on networks with split-horizon DNS, and most consumer users aren’t at risk from CloudFlare logging their DNS requests, even assuming they’re violating their published privacy policies.
Is this just a Mozilla one man show or are there plans by anyone else to support this? Maybe make this a standard? Some googling revealed nothing... Now the way Google does it sounds somewhat reasonable but who knows what the future will bring, or what other software will adapt DoH.
> In particular, we are aware of how DNS can play an important role in ISP-provided family-safe content filtering.
Lots of families with children use their ISP's safe browsing facilities which is usually implemented via alternative DNS servers.
Yes it is not terribly difficult to defeat, but it is cheap and effective for small and non technical children.
This does at least seem like a more sensible experiment than Mozilla's which will break the above scheme for every Firefox user.
If a network DHCP server publishes a local DNS server that is not on the list, DNS traffic will not bt encrypted?
So a network operator wishing to continue spying on its users just needs a local DNS proxy?
No, they say providers, and mean providers. They are starting their experiment with a whitelist:
If you're already using one of those then Chrome/ium will change from "plain DNS" over to DoH. If you are not using one of them already, then nothing will change.
Pi Hole uses DNSmasq as its DNS (and DHCP) server, and the few DNSmasq mailing list threads I've seen on the topic seem to indicate that the DNSmasq developers are not interested in either DoT or DoH. One said that it would be difficult to implement because of architectural issues IIRC.
It may be necessary to use a front-end proxy:
Note: this is using cloudflared but that's just a DoH, it can and happily will query whatever provider you tell it to.
What, like your ISP?
I'm struggling to see why DoH means "is even more of your private data to a centralized provider with questionable ethics", which is what the OP said.
Cloudflare, Google, and all of these other centralized dns/ntp services are hazardous to our health.
I'm sure you're very knowledgable, but if Paul gives DNS advice, listen to him.
Ah, you're too busy to make the case. Aren't we all.
> DNSSEC. The internet is supposed to be decentralized, not centralized.
DNSSEC centralises the DNS system with governments.
> Cloudflare, Google, and all of these other centralized dns/ntp services are hazardous to our health.
Saying it doesn't make it so.
> I'm sure you're very knowledgable, but if Paul gives DNS advice, listen to him.
I'm familiar with Paul's view. Given that most people can't or won't run a local resolver, how does it help?
> https://encrypted-dns.org .. setup dns correctly, teach your friends and colleagues to do it
Gosh, I had no idea it was this simple. Let me get onto the job of teaching the entire world something immediately! We should also tell all the folks at the IETF and the EFF that we've solved the privacy problem!
> Google is the bad guy, and Cloudflare is on their way to that realm
Repeating this still doesn't make it so.
Now tell me your financial status and your credit rating. Actually, I'll just ask Google, they already know.