I wonder if this protocol could provide any relief to network admins trying to protect themselves from aggressive Smart TVs and other IoT devices that use DNS over HTTPS to avoid local DNS blocks. I suspect not, since anything designed to protect against ISP snooping should be available to device manufacturers to protect against local admin snooping.
Since 1.1.1.1 introduction, Cloudflare is able to perform HTTPS man-in-the middle attacks even for the websites which do not use Cloudflare CDN: they could forge DNS answer and proxy HTTPS traffic of any website via their CDN, instantaneously issuing a valid HTTPS certificate, as they have root certs and could issue certs for any domain.<p>Since ODoH they could perform such attacks without being spotted by ISPs.
Nice.
If you would like to try out an independent ODoH proxy with Cloudflare DNS, I added ODoH proxying to my DoH server last night - instructions on using it are here: <a href="https://padlock.argh.in/2020/12/08/odoh.html" rel="nofollow">https://padlock.argh.in/2020/12/08/odoh.html</a>
I’m sticking with DNS over dual server/client certificate.<p>My home LAN gateway is blocking DoH because the hassle of issuing enterprise-based intermediate CA is not worth the effort to do a Squid TLS transparent proxy so that one can “Pi-hole” to block stray DNS/domains.<p>This means my own set of authoritative DNS servers.