I wonder if this protocol could provide any relief to network admins trying to protect themselves from aggressive Smart TVs and other IoT devices that use DNS over HTTPS to avoid local DNS blocks. I suspect not, since anything designed to protect against ISP snooping should be available to device manufacturers to protect against local admin snooping.
I guess the only solution is to run your own MITM TLS proxy, and hope that the Smart TV or IoT device lets you install your own root certificate. (Which it quite possibly won't without jailbreaking... and even if it does, it probably isn't documented how to do it)
pfSense - it only blocks known DNS over HTTPS servers, but generally all “smart” devices that use it use the publicly available servers. I log and periodically check TCP flow metadata, so I could identify new ones later.
Since 1.1.1.1 introduction, Cloudflare is able to perform HTTPS man-in-the middle attacks even for the websites which do not use Cloudflare CDN: they could forge DNS answer and proxy HTTPS traffic of any website via their CDN, instantaneously issuing a valid HTTPS certificate, as they have root certs and could issue certs for any domain.
Since ODoH they could perform such attacks without being spotted by ISPs.
Nice.
Of course intentionally issuing a fraudulent cert would get them kicked out of every root program, and given a good part of their revenue is from being an automated https CDN that would probably have a significant negative impact.
A MITM-attack which starts from DNS could be narrow targeted, forged DNS responses could be sent to a single person or an organization.
Certificate Transparency monitors are futile here.
Also, if the reputation risks is the only thing which could prevent them from doing so... it is not the security we expect from the cryptographic protocols. A subpoena/warrant could be a more "colossal" threat to their business.
I'd compare the current Cloudflare's power to Kaspersky's ability to steal any file from computers their antivirus is installed on. If they can do it then one day they will have a strong reason to do it, risking the trust and sales volume.
There are tons of goals more important than the trusted status.
Killing Osama, arresting Silk Road, performing or exposure of election fraud, ...
Losing of the status might happen sometimes later while the traffic interception/modification is what they can do right now. And it could be ordered by someone who do not care on those statuses at all.
If you would like to try out an independent ODoH proxy with Cloudflare DNS, I added ODoH proxying to my DoH server last night - instructions on using it are here: https://padlock.argh.in/2020/12/08/odoh.html
I’m sticking with DNS over dual server/client certificate.
My home LAN gateway is blocking DoH because the hassle of issuing enterprise-based intermediate CA is not worth the effort to do a Squid TLS transparent proxy so that one can “Pi-hole” to block stray DNS/domains.
This means my own set of authoritative DNS servers.