Centralised DoH is bad for privacy, in 2019 and beyond

An article about encrypted DNS flaws, re. privacy, and the misconception that encryption=privacy:

“Move along, guys; nothing to see, here… and it’s past its due by date, anyways, so…”
Congrats on your trust levels, though; without the support from people like you, big data could’ve never pull a fast one on everyone the way they did, so, yeah, kudos to you!

Please keep conversations civil.

1 Like

The article brings up a couple of privacy concerns around browsing the web which are still valid today. I don’t think the article says DoH as a protocol is bad.

The DNS provider you select

  • Can see which address you visit
  • May log your request or collect statistics about your behaviour
  • May sell collected information about you
  • May point you to a different server than that you wanted to visit

Browsing over HTTPS (TLS)

  • In most cases shows what site you visit in clear text
  • May allow downgrading to clear text HTTP, depending on your browser security
  • May be hijacked by governments depending on your browser and dns provider security
  • Any network provider between you and the site may collect statistics about where you browse

This is why you also need a VPN to remove the middleman attacks, in combination with a trusted DNS provider.
We offer Blokada Plus for the VPN solution and Blokada DNS (beta) which runs in the same network.
We also charge you for the Plus subscription, since we don’t sell your data to 3rd parties.

1 Like

Please remind others not to insult with “snarky” (self?)dismissive remarks, like “an opinion, related to 2019…”. If you’re too dumb to have anything useful to say, just say nothing…

1 Like

This is what I read about it a while back:

Your DNS query before DoH:

ID: 1234
Q/R: Query, Standard, No-recursion
1 question
www.example123.tld
A
IN

Your DNS query after DoH:

GET /dns-query?dns=xxxxxxxxxx HTTP/1.1
Host: www.example123.tld
Accept: application/dns-message
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0)
(blank line)

1 Like

Yes providing User Agent is unnecessary, Firefox has removed this information.

The other fields doesn’t really add any more information than regular dns queries, I’m sure an analyzing DNS provider can already figure out which OS and perhaps browser you are using from checking which domains you query for.

There are no cookies or other storage for tracking used in these types of queries, it just uses the HTTP wrapping. Also it’s HTTP/2 that is recommended, not 1.1. By using H2, the amount of traffic and “head of line blocking” caused by TCP is reduced. Meaning you don’t need multiple connections for parallel lookups

1 Like