[BretG57]

what is the purpose of dns over https? I mean this with respect to privacy from an isp (preventing them from selling my data to advertisers etc...).
I have recently added a pi-hole to my network and decided to use dns over https with cloudflare but after giving it some thought, I don't know if I see the point. My isp will still see the ip address of the websites I visit and can't they just reverse lookup the domain names?
DOH is now an optional feature in firefox+chrome and there is a bunch of information on the web about it increasing privacy. I don't see it, is there some other reason to use dns over https?
I decided to post this here because I think this is where I will likely hear a response from a real expert . Thanks in advance for any responses.

-Bret

[Alozaros]

Without DoH, DNS hits go in plain text.... all of them...and lives opportunities for man in the middle attacks and so...
with DoH or DoT or DNScrypt they go encrypted...and eliminate those opportunities...

DoH is a double edge dagger, as it helps to secure DNS, but DoH goes around some DNS based firewalls or host names based filters, that usually can help you with malicious activity's...

But than again you can use Adblocking and Malicious filtered DoH DNS providers...

Personally i love FFx DoH and its settings, and use it on my systems along with 9.9.9.9 DNS or Adguard DNS instead of 1.1.1.1 ...
Quad9 has strong and serious malicious packet filtering....
you can find all details for FFx DoH settings on ggl or look at FFx help all light is there...

If you decide to give a go on DoT, link is in my signature,
same for DNScrypt...tanks to mac913

[tinkeruntilitworks]

i've had similar thoughts. i'm low knowledge but seeing isp companies fighting against the push for encryption tells me it must be somewhat worthwhile

[SurprisedItWorks]

I agree with all of the above. FWIW, malware-filtering DNS providers Quad9 DNS and Adguard DNS can be checked out at https://quad9.net and https://adguard.com/en/adguard-dns/overview.html respectively. I also use both, Quad9 as my primary and Adguard as a backup in case Quad9 is having issues (very, very rare). Quad9 has more servers and is faster, but of course the ad filtering by Adguard is great.

[tatsuya46]

its for the security paranoid to fell a bit less paranoid

(instead, keep reducing performance and latency for "security" and lets all trust a company, reminds me of NORDVPN, lololol)

[tinkeruntilitworks]

i believe cloudflare has a company audit them to ensure they're following their guidelines

[BretG57]

Alozaros:
Okay thank you for all the information! Shouldn't just enabling DNSSEC be able to stop the man in the middle attacks though. I realize there are possible security advantages to using encrypted DNS but I'm more curious about the privacy at the moment. There are all kinds of information on the web about how it increases privacy but actually I don't see how it can increase privacy at all. I think an isp has access to all the ip address for websites that a person visits and they should just be able to reverse the dns, thereby getting all the names of the websites you visited, then they can just sell that to advertisers. Wouldn't this be simple for them or am I missing something.

[BretG57]

[tinkeruntilitworks]

when i asked a similar question someone linked this https://dnsprivacy.org/wiki/m/mobile.action#page/1277987

[Alozaros]

yep DNSSEC helps but in very limited scenarios...
it does not do any encryption at all ....

Encrypted DNS prevents form certain attacks and help with
hiding the DNS hits...as it moves them to an tls or https communication that looks like site to site encrypted channel,
but yep there are technologies that you can reverse and find where your clients ware...but not always works

Than if you want a real privacy than you'd need a proper VPN and use an encrypted DNS that goes into the VPN channel....or use Tor network, or use I2P, or just use a parrot with few tweaks...

I personally use PIA VPN and it helps a lot with privacy, as well its an easy to set up and works great on DDWRT routers... (just bear in mind you'd need a powerful router to run VPN) or Wireguard

also bear in mind 1.1.1.1 is not the best free DNS by far...use 9.9.9.9 instead

have a read this link that tinkeruntilitworks posted

[SurprisedItWorks]

[tinkeruntilitworks]

@Alozaros

curious what providers you would suggest

i know quad9 is a favorite and have seen you also mention adguard. are there any others? would using round robbin be good for privacy so my look-ups are spread over multiple companies instead of just 1?

i've found these that'll do dns over tls

9.9.9.9 dns.quad9.net
1.1.1.1 cloudflare-dns.com
8.8.8.8 dns.google
176.103.130.130 dns.adguard.com
185.228.168.9 security-filter-dns.cleanbrowsing.org


*question obviously open to anyone too

[Alozaros]

hmm.... many servers support TLS
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers#DNSPrivacyTestServers-Otherserverswitha'nologging'policy

about round robin
it depends from your case...
for home/small office network you can use 1 or 2, this speeds up DNS, but also takes resources...and could be compromised from the LAN side in certain scenarios...very uncommon scenarious...but yep its safe to be used 1 or 2

i my case, i use 0 with lower idle_timeout 8000 and its fine, as if the first request hags, it querries the next DNS, if there are too many requests at the same time it will delay a bit, but nothing too bad...
option 1 or 2 is excellent for bigger networks with a lot of routers and clients refering to the same DNS IP running Stubby...I have to admit i sat up DDWRT router with Stubby in a quite big network for a client and so far no complains...with rd-robin 1...only....

p.s. i stay away from 1.1.1.1 or 8.8.8.8