The claim that ISPs are concerned about Google DNS being anti-competitive or too powerful really rubs me the wrong way.<p>Google has offered DNS services for years, and ISPs didn't care. The 'problem' isn't that Google is offering its own DNS -- it's that now those queries are encrypted and ISPs can't read them.<p>The pushback on this has been really eye opening for me. I knew that obviously ISPs were reading DNS queries, but I think the amount of effort ISPs are putting into stopping what is a fairly basic security measure means that I under-appreciated just how much they care about that data. Apparently unencrypted DNS is a bigger threat than I realized.<p>If ISPs aren't monetizing this stuff now, they're probably planning to.
My issue is with browser based DoH is when it defaults to ON.<p>That was Mozilla's original plan for Firefox. That's a problem for those of us who use DNS to reduce the risk from malware, advertising and other invasive technologies. DoH effectively circumvents those protections.<p>After a crapstorm, Mozilla walked that back and made DoH a user choice. Even better, Firefox queries the use-application-dns.net zone - which (added to a local DNS server) tells Firefox to turn off DoH. This is super helpful for those who use DNS to safeguard networks.<p>Now, better than DoH and a more elegant solution overall is DNS over TLS (RFC7858), which is simply encrypted DNS. It's the natural next step. Frankly, we all should have been using it for years. It's just beginning to gain support, tho.<p>As it stands now only a handful of public DNS resolvers support it (Quad9, Cloudflare, Google, someone in Germany). None of the root servers do. Nor do ISPs'.<p>My approach is to run a local DNS resolver (Unbound) which forwards it's queries over TLS. Local users' queries are plain text but the forwarded (public network) queries are encrypted.
Archived copy, which can be read without JS enabled:<p><a href="https://archive.is/5GypR" rel="nofollow">https://archive.is/5GypR</a>
>The first claim is that Google is going to redirect user DNS traffic to Google's own DNS or another DoH-compliant DNS provider. That is incorrect. Because we believe in user choice and user control, we have no plans to force users to change their DNS provider. [...] We’re simply enabling support in Chrome for secure DoH connections if a user’s DNS provider of choice offers it.<p>Chrome will use the DoH frontend of the DNS server of the computer it's running on, respecting the user's choice. Instead, the Mozilla Corporation has decided that Firefox will route all DNS requests through CloudFlare regardless of user settings.