HN Reader

DoH is a technical win but a practical regression for anyone who actually runs their own DNS. With classic DNS, you could hand out your resolver via DHCP and transparently control local zones. With DoH, that's gone. You have to configure each client explicitly, because the traffic is wrapped in HTTPS and can't be intercepted.

And the defaults don't help: instead of your ISP seeing your queries, now it's Cloudflare, Google, or whichever big player your browser hardcodes. That's not decentralization, it's centralization under a shinier marketing story.

Encryption is good, censorship resistance is good, but the rollout conveniently shifts power away from users and toward a handful of global DNS silos. For technical folks, it feels less like progress and more like lock-in with extra steps.

Single-handedly, Firefox (independently from how crappy it can be at times) is what is keeping me on Android. Its full extension support (i.e.: uBlock Origin support) is something that I can't really do without. I do wonder if the crowd here knows of other good alternatives though - specifically, Android and/or iOS browsers with "full" uBlock Origin support (no uBlock origin lite, no other blocker, ...). I would love to be made aware of a few alternatives. I am aware that there is a browser from Kagi that works on iOS (I think?) but it's still in beta and closed sourced so not ready for prime time on my device. I am also aware of some peers of Firefox like Waterfox.

This doesn't address why this needs to be built in to the browser when Android already does DoH by itself. I assume there's a reason, does anyone know what it is?

Not sure why it took so long for Mozilla to expose the setting on Android, it's been a 'secret' setting for a long time. In fact, sometimes they let features ride the rails for a little bit too long IMO.

For Waterfox for Android I exposed the setting by default and also added an addition DNS over Oblivious HTTP setting (DoOH) which uses Fastly as the relay (they host and control it, for privacy sanitisation) and Cloudflare as the resolver.

I have long been using my own recursive DNS server through Wireguard on my GrapheneOS device. I don't see how using DoH through one of the few well known centralized providers is better for privacy.

What's the good DoH provider nowadays? I feel like cloud flare has some downsides in terms of centralization

DoH centralizes DNS traffic at a few DoH resolvers. Bad thing.

You can set DoH in all major browsers in desktop. On iOS, you can use private relay.

One issue is, if you set DoH in the browser, you can not do DNS filtering in your dns server. It might be better to send DNS over VPN to your home lan, do the filtering there, and let your dns server send the dns over https.

Tailscale can send DNS from all devices to a server of your choice. From there, AdGaurd or Pihole will filter it and send it over https.

Does anyone know how to force disable DoH on a network?

In https://support.mozilla.org/en-US/kb/canary-domain-use-appli... it says that the canary domain does not apply for users who have made the choice to turn on DoH by themselves.

I want to avoid running an sslproxy, and it seems an application level proxy on the firewalls is necessary.

I wonder why DOH is in the intro described as getting activated by region. Is DoH now active globally for every region, on any (desktop) platform (Mac/Windows) ?

>DNS query [...] in the clear. [...] (DoH) plugs this privacy leak [...] no one on the network, not your internet service provider [...] can eavesdrop on your browsing

Whoever could see DNS traffic can still see the target you're connecting to...

I wonder - whose public keys are needed for this particular DoH implementation to work? How do we know that they're legit?

Update title to include "DNS-over-HTTPS"

Why did Firefox choose to implement DNS over HTTPS (DoH) instead of DNS over TLS (DoT)? Doesn’t HTTPS add an extra layer for DNS queries?

Anyone else never seen this acronym for DNS-over-HTTP before?

That took way too long. I was getting so tired of my default ISP's DNS blocking websites it just doesn't like.

Firefox for Android is some of the worst software I've ever used. A lot of extensions won't work in it, and even Edge Canary is far better with them. It is extremely slow, and the UI is horrible.

I'm running it on a device with a Qualcomm SM8635 Snapdragon 8s Gen 3 chipset, and it just crawls. The UI is very unresponsive, and page load times are terrible. It also has to reload the page if it was running in the background and you switch back to it.