Centralised DoH is bad for privacy

I came across an article on DoH (DNS over HTTPS), below a small part of the article. Please read the whole blog entry.


Recapping what DoH does

DNS is currently typically provided by the operator of a network, which could be your Internet Service Provider, your phone company, your employer or your proverbially evil coffee-shop WiFi.

DNS provided this way is never encrypted. Anyone observing your network traffic can see which DNS look-ups are made. A more capable person could also inject fake answers, potentially rerouting your traffic.

DNS over HTTPS meanwhile encrypts DNS queries going over the network, which means that no one between you and the DoH server can see your DNS queries or modify the DNS responses.

Crucially, in both plain DNS and DoH, the operator of the DNS server can see, sell, block and modify your DNS data. It is only the people in between that get locked out.
DNS & Metadata Privacy

DNS privacy matters. Or more in general, knowing what sites you visit matters: your traffic metadata. A complete listing of sites (and servers) contacted will reveal where you work, live, study, what your hobbies are, what equipment/devices you own, what sports teams you follow, which health care providers you frequent, what brand of car you (want to) own & likely your sexual preferences.

Many governments will also be very interested in who communicates with political parties or organizations they don’t like.

Restricting and choosing who can see the meta-data of what sites you visit is therefore very worthwhile.

Source: PowerDNS blog