Skip to main content

 

I want to emphasise that DoH will make data exfiltration easier, and make fingerprinting *you* easier, though you get to pick who does it (between Google or Google currently)
 
Firefox does it a little better as they allow to use custom DoH server but still not very privacy friendly, yes.
 
The main problem is that its existence means it's a terrifying way to hide the tracks of an attacker

Also - I don't know if there's a non-evil DoH provider
 
The main problem is that its existence means it's a terrifying way to hide the tracks of an attacker
How so? You mean attackers can compromise browser settings and change it to their own server?

Perhaps with time there will be some DoH providers and self-hosted solutions. Still I think DoT would be better alternative as the solutions already exist.
 
I meant you can send HTTPS traffic to known endpoints, and get back DNS data (if you are a villain)

It was always possible to do, but used to be harder
 
I meant you can send HTTPS traffic to known endpoints, and get back DNS data (if you are a villain)
Do you mean it will be harder to track villains?

I am pretty sure most of them already use VPN and other means if they want to cover their tracks. Also DNS requests rarely prove anything. They might be circumstantial evidence sometimes and that's it.
 
I mean it will be harder to track DNS traffic to known-malicious endpoints from within your network. If they're using a VPN you probably already know the traffic is unexpected

(This is detecting infiltration and malware)
 
Yep, this already happened to us.

But it also happened before in other circumstances, DoH just adds one more case.
 
I mean - it's super easy to do - and you still need to connect to the IPs - but it's another layer