Correct me if I’m wrong, but it seems obvious to me that allowing users to chose their own DNS server via DoH seems like a great way users can protect themselves from their providers. Currently the best you could do is use something like HTTPS Everywhere and assume all unencrypted communication is being watched, but with DoH we would be able to hide both our traffic and DNS queries, only leaving the VPN provider with unencrypted traffic and which IP’s you’re connecting to.
Is there something I’m missing? If not, should we start pushing for DoH support in VPN’s as another way users can protect themselves from their providers?
UPDATE: I also just realized this could apply to Tor as well, so you could hide your DNS queries from your exit node.
Even when you connect to a website with HTTPS, the VPN will still get the domain you visit in addition to the IP because SNI is not encrypted (see: eSNI, which is in development).
Usually when you use a VPN provider you are also using their DNS servers to prevent “DNS leaks”. In this situation DoH would not be particularly useful because your connection to their server is encrypted via the VPN tunnel. However if your goal is to hide from the VPN provider itself, a DoH/DoT compatible DNS provider would work. So, if you wanted to hide all your browsing traffic from a VPN you would need eSNI, DoT, and HTTPS. But in this situation now you’re trusting yet another party with your DNS data, which is questionable.
Depends on VPN and threat model. My VPN allows you to choose your own DNS providers, but by default my VPN owns and self-manages their own encrypted DNS servers that have query generators to make millions of domain requests a day so you get further lost in the shuffle with all other VPN users sharing that VPN IP. So for me, I’m sticking with that. However, if you VPN does not encrypt from VPN server to DNS server and the DNS server itself is not encrypted outside of the resolver, I’d certainly consider DoH.
EDIT: and no I’m not worried about logging, but DoH is an option to hide your usage from ISP and VPN. My concern is how secure HTTPS is over an OpenVPN tunnel using ECC for keys to the DNS server, and I prefer that protection as there is no doubt the NSA and their ilk have broken HTTPS and lower level RSA.
https://thehackernews.com/2016/10/nsa-crack-encryption.html
But in this situation now you’re trusting yet another party with your DNS data, which is questionable.
True, but at the same time you’re diversifying who sees what. I’d rather have 5 entities see a little bit information about me than 1 entity see everything.
>there is no doubt the NSA and their ilk have broken HTTPS
Maybe older TLS versions, but doesn’t TLS 1.2 and 1.3 use relatively modern cryptography and thus probably hasn’t yet been cracked?
Maybe, maybe not. I would not bet on “maybe”.