DoH is such a weird thing.<p>I am against individual applications making their own DNS queries. This is a responsibility of the OS.<p>I love the idea that I can query DNS without being spied upon. However, at home, for the protection of my family and me I want all devices to go through a certain DNS server.<p>So where does this leave us? We're delegating the statement of 'I'm being secure' to the DNS server itself.<p>Shoutout to my Google Mini which ignores DNS servers in the DHCP response.
> The use of this domain is specified by Mozilla, as a limited-time measure until a method for signaling the presence of DNS-based content filtering is defined and adopted by an Internet standards body.<p>Yeah. Once DoH succeeds in preventing DNS based blocking of ads, trackers, etc., I’m sure all the big tech companies will come back to the table and agree on a standard that gives that power back to users.<p>/s for anyone that needs it.
Reading the comments I think it may sound worse than it is.<p>> The canary domain only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves.<p>So basically it sounds like a way for system administrators to disable DNS over HTTPS on their local network when DoH is enabled by default on the machine.<p>Though I'm not sure what's preventing people from abusing this on public networks and ISP level.
Worse, I clicked the thumbs down icon on "Was the article helpful?" at the bottom of their page: A forever circling waiting icon appears. Running latest Mozilla Firefox on latest Apple iOS.<p>In short, it is a *<i>cricket*</i><p>Was going to say: as a DNS administrator of 30 years, this stuff does not fully nor adequately explains how this feature is used or benefit the end-user.
I don’t completely understand this.<p>Isn’t the purpose of DoH to increase privacy?<p>But then if I go to a coffee shop that wants to inspect my DNS queries, they can respond for this mentioned domain in a certain way, and it will result in DoH being disabled and leaving the coffee shop free to inspect the unencrypted DNS I am making?
The ship has already sailed... no one says one has to use the prescribed DoH protocol. An app could simply embed a list of known IP addresses and make custom TCP queries using entirely proprietary / opaque protocols to "resolve DNS" or just discover ip addresses for their services.<p>I'm sure many applications and devices are already doing it. Who has the time and inclination to monitor the network traffic of all their appliances to ensure they're not being spied on? I wish someone would and we'd publicly shame all the scumbags that do it, but alas...