As DoH and DoT use cookies and other identifiable information, it is maybe a nice feature to be able to walk through the available Encrypted DNS servers for each request to spread the risk of data / log leaks.
Maybe with options like:
All available
Per region (as some do not want American DNS servers due to legislation there)
Custom lists, for the people that want total control over which DNS to use
There are headers added to DoH packets that could work to fingerprint individual dns clients, even across multiple source ip’s, that’s why I think this feature can be a great addition. If you route all your DNS through a commercial provider, they could easily make a thorough (advertisement) profile about you. Even if they don’t say they log traffic now, that could eventually change if they see a profitable business case. In the end hosting a DNS server costs money and you’ll need to cover those profits.
Classic DNS doesn’t have any space in the packets to add extra information and doesn’t do this. The only identifiable things are source ip’s and the requests themselves.
Our solution to this issue is to provide Blokada DNS, which in turn talks directly to the source DNS servers without a 3rd party.
It will also shorten the query as much as possible to not give full domains to non-essential providers
Which makes you one of the commercial providers I was just mentioning. Not that I question Blokada’s motives and the log policy, but still it makes spreading the dns requests a good idea.
Sure a distributed solution could be nice, but I wouldn’t consider sharing the queries on multiple providers with the same DNS protocol that may share fingerprintable information to be a nice solution.
Also this is kind of how DNS works today, you talk with multiple servers to get the name you’re looking for. Cloudflare, Google or Blokada is just your “DNS ISP gateway” for managing this multi hoping while keeping information confidential to the ISP closest to your internet connection.
Blokada provides you with Blokada DNS as well as Blokada Plus for encrypting everything including DNS. We are not considering implementing a distributed protocol for DNS directly on the client in the near future