DNS over HTTPS is coming whether ISPs and governments like it or not
Today, users connect to the internet by paying an ISP for a connection. Effectively, under DNS over HTTPS, they will then establish a second DNS connection to servers run by companies such as Google and Cloudflare to make web browsing private.
Google is in the process of implementing DOH as part of its Public DNS system, which will be supported by chrome browser at some point in the world.
To increase privacy can only be a good thing. However, ISP’s can (and probably already do) perform rDNS (Reverse DNS) queries on the IP address that you connect to (regardless of you using DoH or not) to get the information they need. So it’s not impossible, but as the article also states, it is making surveillance more difficult.
Added to that, the Server Name Indicator (SNI) header is visible in TLS connections (that is, until Encrypted SNI (ESNI) is fully rolled out), thus the information of the website you are connecting to may still be visible when you connect to the website’s IP address securely. This is common for cloud-based web hosts, where IP’s are shared between websites.
In this article, we are talking about browsers and only browsers. It’s positive that the browsers are increasing privacy for us, but keep in mind that it’s only privacy of our browser’s traffic that is being enhanced here unless using something like a DNS Proxy in your infrastructure.
‘DNScrypt-Proxy’ gives you DoH for all your application connections and supports DNS Security Extensions (DNSSEC) too, which are digital signatures based on public key cryptography. In case, if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection.
Cloudflare offers DNS resolution over an HTTPS endpoint. If you are enhancing the mobile application, operating system, browser, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.
The browser would use local name servers as in classical DNS. Or if browsers entirely switch to DoH, LANs may have to incorporate internal DoH servers. That is one solution.