Why DoH is not about privacy

There's an interesting trend happening right now. Firefox is now defaulting to using DNS-over-https via Cloudflare for users in the United States. They say this is about privacy, but there's little evidence to support that it helps enough to be worthwhile. Let's examine the benefits and pitfalls of DNS-over-https (DoH).

First, let's address a big problem that makes it difficult to have discussions about DoH. Mozilla's marketing campaign has been successful in convincing people that Mozilla is doing it for everyone's good, and that they, and Cloudflare, are doing this for purely altruistic reasons. They very well may be, but if that's the case, it belies a problem with their fundamental understanding of the issue they claim to be solving. Whatever their motivation, some fans of Mozilla and Cloudflare seem to balk at the suggestion that we rationally examine the long term implications of widespread DoH use.

I don't want a flamewar (famous last words, right?), but instead I want to encourage a reasoned discussion of the merits and pitfalls of DoH based on facts and real-world scenarios. I'm not looking to convert anyone to a specific way of thinking, but rather to encourage people to see all sides of the possible future with DoH, whether fans or not.

Let's look at some of the assumptions which we need to make if we want to believe DoH's claims about privacy and censorship. First, there's privacy. From whom are we gaining protection? According to Mozilla, "DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior".

But is this really true?


Ignoring the underlying problem of an FCC run by a pro-business lobbyist that refuses to protect citizens, let's imagine ISPs of various degrees of evil and consider what options they currently have:

Not evil: you pay your ISP, they give you an Internet connection, and everything is fine.

A little evil: your ISP wants to make extra money by selling your browsing behavior. They log all DNS queries made to their servers and sell the data.

More evil: your ISP isn't happy with the money they get from you and the money from selling your DNS data, so they start monitoring all of your traffic and they log all of your DNS queries, in flight, regardless of which DNS server you use.

Even more evil: your ISP wants all the money, so in addition to the money you pay and they get from selling DNS data (both from their servers and from inspecting your DNS traffic), they also look at everything they can: SNI, IP addresses, frequency and size of data exchanges and so on.


So let's look at two common solutions and DoH:

One, we don't like or trust our ISP to provide DNS, so we use Quad9, Google, Cloudflare or another public DNS service. 

Two, we're a little more concerned, and/or perhaps we want to block ads, so we run our own local recursive DNS resolver, preferably with DNSSEC, simply by running BIND or Pi-Hole anywhere on our local network and we use that for DNS for our whole network.

Three, of course, is DoH.


Solution one takes care of ISPs which are not evil and just a little evil, but doesn't help with more or even more evil ISPs.

Solution two takes care of ISPs which are not evil and just a little evil, and it also doesn't help with more or even more evil ISPs, but it does offer advantages because DNSSEC lookups can't be spoofed and ads, trackers, Trojans and spyware can't be inserted mid-stream, like has happened with more evil ISPs like Verizon. This is a separate issue, though, we will look at later.

Solution three takes care of not evil, a little evil, and more evil, but does it really take care of an even more evil ISP? Let's look at this. DoH, as it's currently implemented, doesn't do encrypted SNI, so if someone is examining data in flight to extract DNS lookups, they can easily also just look at SNI. While ESNI (encrypted SNI) will fix this, shouldn't we have waited for that to be the default? Also, does DoH stop an even more evil ISP from examining all traffic and selling our browsing patterns regardless of DNS? No, not meaningfully. So DoH only helps one aspect of what an even more evil ISP can do.

Also, let's ask ourselves how many ISPs are more evil and not even more evil? Is it really the truth that monitoring DNS in flight is low-hanging fruit that some ISPs will want to examine, but they're too lazy to do more? I genuinely don't know, and if anyone has any data, please share.

However, if we're privacy concerned people who genuinely don't know whether our ISP is more evil or even more evil, then is it really good enough to simply encrypt DNS? (From here on, let's pretend that DoH is already doing ESNI.) We've taken DNS out of the equation, but is this enough if our even more evil ISP is monitoring every connection, every IP, every fingerprint they can find?

So here is the real question when it comes to privacy: if we're truly concerned, is it good enough to simply protect DNS? Or should we be using VPNs if we suspect our ISP is monitoring our traffic?

The counterpoint: should we NOT be protecting our DNS? Doesn't every little bit of protection help? Well, sure. But there are downsides to HOW protecting DNS works with DoH.

Let's also consider that removing DNS from the equation may, at least a little, de-incentivize ISPs which are more evil to move to becoming just a little evil. Likewise, it may incentivize them to become even more evil. It can obviously work both ways.


Next, let's look at censorship.