As a rule nobody likes to read a ton of information about things like DNS (domain name systems) and how they are one of the weakest links in the internet tool chain regarding privacy. The reasons for this include spoof ability but also and more worryingly the DNS is generally easy to intercept data from. This isn’t new information but the general idea regarding DoH is that we could pre-emptively spoof part of the DNS data that is sent and reduce our footprint somewhat.
The Other Side Of This Issue
It is being suggested (perhaps correctly) that in doing this we open ourselves to more active tracking, more persistent packet sniffing, and ultimately more risk. It is also implied that while these protocols are improving security in one way, they are diminishing it by making us more complacent under a false sense of security.
Browsers are enabling the DoH option of a host of reasons related to faster querying, but at present even the enabled DoH options can be switched off and in fact switch off wherever a website rejects the protocol. It is reminiscent of older IPV tunneling protocols where if one isn’t working it can default to another, thus mitigating the implied anonymity – which isn’t actually anonymity. DoH is actually more about faster querying than actual spoofing so why is it becoming ubiquitous?
User data can be compromised in attacks that overwhelm servers with requests (DDOS) and getting a user to the TLS session quicker offers better protection. The real spoof here is that DNS caching isn’t essentially the same thing. The information is generally speaking: “there unless or until a third party starts substituting a quick cache of alternate data.”
Is This A Big Hairy Deal?
Not for most users. Many IT people will argue endlessly about the value of using DOT, DoH, etc etc until the sky burns out because we’re nerds. It only affects you if your job is related to tracking user data, or if you are a user who gets screwed over trying to implement this thinking it’s the next big thing. There will be use cases where it might be handy to know about it but if you imagine your data is somehow safer by flicking on a flag in a browser setting… you are mistaken.
This Is Where A Vendor Would Stick A Solution To Capitalize
Instead I’ll just suggest waiting to try this until you see the first few casualties of widely adopting untested practices in this area. Be safe and as always – thanks for reading this!