Where is the DNS headed?

If I understand correctly, the author presents a case for securing DNS by moving away from a shared directory toward application-specific directories. At the end, he takes a sharp turn to worry that such a move will tear apart the openness of the internet. I suppose an analogy is moving from phone numbers, with shared telco-managed directories, to chat apps managing their own directories. You can’t contact me on Instagram with my HN handle because they don’t use shared directories.<p>Ok, but there are more important reasons. Walled-garden directories is a symptom not a cause. For that matter, SNI and path-based load balancers are examples of the application-level address resolution overlay already in practice. Those techniques merely implement, not drive, balkanization.<p>Basically, application-layer DNS doesn’t pass the “but for” test. As in, it is not correct to say “but for application-layer DNS, Facebook&#x2F;WeChat&#x2F;Google couldn’t build walled gardens. With it they can.”

There are a lot of arguments about how DoH with TLS 1.3 will give us privacy etc by the proponents of DoH(not this article).. but it’s basically moving the trust from ISPs to CDNs. There are fewer major browsers and fewer major CDNs than ISPs, I suppose.. so not sure if it’s a good move.

How is DoH a net loss to decentralization (by moving to a few major cloud providers) when DoH is merely encrypting the information to prevent MitM spying? Surely nothing stops your favourite ISP or any other local startup from providing DoH services right? Presumably the DNS servers will still talk to each other on the backend over plain text, but if a DoH front-end can be provided by ANY DNS service then how can it be accused of centralising the Internet?

There will always be a need for a shared global namespace, and DNS needs to improve its security and privacy as the world continues to rely on it. I don’t think DoH is the answer since it just shifts trust from ISPs to CDNs[1]. On the security end, there’s a new DNS protocol called Handshake (<a href="https:&#x2F;&#x2F;handshake.org" rel="nofollow">https:&#x2F;&#x2F;handshake.org</a>) that’s trying to shift the root of trust from CAs to a distributed ledger. It’s still early but it shows promise with NextDNS.io and Vercel.com supporting it.<p>[1] CDNs are a lesser evil than ISPs but I still wouldn’t want to need to trust them to protect my privacy.

s&#x2F;HTML&#x2F;HTTP&#x2F;c in a few places.