What an absolute piece of misleading crap. This article demonstrates an amazing level of incompetence in understanding of stated technologies and open ecosystems https://twitter.com/arunmsukumar/status/1274312621068390400
DoH is an open protocol. Anyone can run a compliant implementation. This is as open as it gets. I run my own DoH service at home
Most DNS hijack attacks tend to be state actors, because of the nature of the place that DNS servers sit at (telecom infrastructures), and that's precisely what DoH helps address.
To compare it with LEA issues just screams agenda. By this definition, we would still be running with 56-bit DES
The article also claims that DoH is bad because it doesn't solve all kinds of surveillance. Did you stop wearing seatbelt because it doesn't protect you from all kinds of accidents? DoH solves only the DNS privacy and solves it well.
One is entitled to opinions about organisations and policies, but at least apply some basic common sense man, and talk sense.
Also sharing my thoughts on this "delicious takedown" of DoH linked by @arunmsukumar on his handle, where Paul (of DNS & BIND fame) share's "political" "issues" with DoH:
Issue #1: DoT was already there. Yes, but on a different port, making it far too easily blockable, ironically by the very ISPs and state actors that abuse DNS the most
Issue #2: Parental controls. Just because DNS got used earlier to solve for easy blocks doesn't mean that's the answer. Even if it were to continue, it just means hooking up to a "filtered" DoH resolver. IMHO, parental controls are best handled at platform level, not protocol
Issue #3: Stub-RDNS doesn't address privacy completely. Worst case, true, but further chains don't have original client's IP. Best case, further chains are using DoH, or DoT
Issue #4: Eavesdropper can still guess DNS answer based on what happens later. My guess is he's talking of SNI, which should be addressed with TLS 1.3 eSNI. Again, not a DoH scope issue
Issue #5: You still need a VPN to stay out of jail in authoritarian regimes. This is using an extreme example to deny a more routine dignity, same like saying - why wear clothes in a hospital, your doctor will see you naked anyways.
Issue #6: Internal only TLDs. Solvable - use custom DoH, or disable DoH. And concern is secondary to the advantages to public TLDs
Issue #7: Web is not the whole Internet, what abt apps? Of course, but did we stop SSL/TLS rollout because they first came to browsers?
That's not to say he doesn't bring in some relevant issues, e.g. concerns about some WGs discussing ignoring of DNSSEC in favour of TLS, but we need to evaluate anyone's ideas on their own merit, no matter who the person is.
My impression of the talk was that it was way more from the perspective of a network person, and someone who's too close to the DNS, than an objective view of the needs of Internet users.
You can follow @amodm.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.