Why not use DNS over HTTPS (DoH)?

Original Article ↗ Hacker News Discussion ↗

Trust, Privacy, and the “Single Peeper” Question

  • Core disagreement: does DoH improve privacy by hiding queries from ISPs, or just shift all data to one big provider (often Cloudflare)?
  • Some argue Cloudflare (or similar) is more trustworthy than many ISPs, especially where ISPs are legally compelled to log and censor. Others see a US‑based CDN as strictly less trustworthy than a local/regional ISP bound by strong privacy law.
  • Several point out that whoever terminates your DNS (DoH, DoT, or UDP) can see your queries; encrypted DNS mainly stops intermediaries and local networks from snooping or tampering.

DoH vs DoT vs Other Protocols

  • Many say the article’s endorsement of DoT over DoH is incoherent: DoT has the same “single peeper” property, plus is trivial to block on port 853.
  • Pro‑DoH side: using HTTPS/443 lets DNS blend with normal web traffic, making censorship and ISP interception harder. Complexity of HTTP is seen as a justified trade‑off.
  • Critics prefer lighter, DNS‑specific schemes (DNSCrypt, DNSCurve, anonymized DNS, Oblivious DoH) and dislike “abusing HTTP” as a transport.
  • Some suggest running DoT over 443 with ALPN as a middle ground, but note that’s not how most infrastructure works today.

Censorship Resistance and Blocking

  • Several commenters in tightly controlled or meddling ISP environments say DoH is the only way some sites work at all; ISPs block or rewrite DNS, or run transparent DNS proxies.
  • DoH plus emerging ECH is seen as a path to making hostname‑level censorship and profiling much harder.

Self‑Hosting and Recursive DNS

  • Strong contingent recommends running your own recursive resolver (often behind VPN or WireGuard), sometimes publicly shared for extra anonymity and caching benefits.
  • Others run Pi‑hole/AdGuard/dnscrypt‑proxy with DoH/DoT upstreams, or Tailscale/Android “Private DNS” for system‑wide encrypted, filtered DNS.
  • Concerns noted: exposure to amplification attacks, need for rate limits, and that queries from resolver to root/TLD/authoritative servers are still mostly unencrypted (mitigated somewhat by QNAME minimization).

Application vs System DNS and Control

  • Major dislike: DoH inside browsers and IoT bypasses system DNS and network policy (e.g., Pi‑hole, corporate DNS, local zones). This weakens local administrative control and makes ad‑/malware‑blocking harder.
  • Counter‑argument: system DNS defaults are usually insecure and users rarely change them; app‑level DoH is a practical way to give “normal users” confidentiality from hostile networks.

Assessment of the Article

  • Many call the piece outdated (2018‑era Cloudflare‑only framing) and rhetorically loaded, mixing “Cloudflare bad” with protocol criticisms.
  • Several say its conclusion to “refuse to use DoH” is actively harmful: disabling DoH often just reverts to plaintext DNS, which is strictly worse for most users.