Mozilla jumped the gun on this, all they really needed to do was announce their DoH application program _before_ they started turning it on by default.<p>As it stands, Mozilla has a Trusted Recursive Resolver Policy[0], which CloudFlare abides by, but lots of other resolvers (such as Quad9) are not allowed to be added to the FF config.<p>I'd reached out to Mozilla months back asking for the application process (when they announced the TRR policy). I've been running a DoH resolver from within Indian jurisdiction (for legal research) - but without Mozilla having a process - it is just me using it.<p>[0]: <a href="https://wiki.mozilla.org/Security/DOH-resolver-policy" rel="nofollow">https://wiki.mozilla.org/Security/DOH-resolver-policy</a>
[1]: <a href="https://captnemo.in/doh/" rel="nofollow">https://captnemo.in/doh/</a>
Paul Vixie gave just gave a talk at vBSDCon about DNS-over-HTTPS where he outlines some the problems he seems at it. Hopefully the video will be up shortly, but in the meantime some slides:<p>* <a href="https://twitter.com/DLangille/status/1169962162854514688" rel="nofollow">https://twitter.com/DLangille/status/1169962162854514688</a>
Agreed. Mostly regarding the part that DNS should be solved at the OS level.
Encrypted DNS is a good idea, HTTPS seems like a questionable encryption layer, but it will serve.
However, apps should not take DNS into their own hands.<p>DNS is part of a systems configuration. By setting it, you choose, and can change, your views of the internet. If all of a sudden, that view becomes inconsistent across apps, that is confusing. Moreover, if an application gives an unexpected view of the world (e.g. missing local domains, local redirects, or local blocks) that can have negative impact.<p>If we screw this up in our haste to secure DNS, we'll be stuck with another legacy half-solution our internet infrastructure. This is essentially taking on global technical debt to get secured DNS requests just a bit faster.
For us Russians, it's a very welcome feature. Our government illegally does mass-scale censorship/blocking of websites, making the Internet almost unusable without commercial VPN, and it looks like soon commercial VPN services would be blocked too. This DoH feature might help to combat the problem without complex measures.
It would be nice if Firefox also had DNS-over-TLS support.<p>I'm not against encrypted DNS, and can see where DoH can be handy for a lot of the general public, but as someone in IT, having to jump through hoops to keep our internal split-horizon DNS workings is annoying.