In recent months there has been a theory that the protocol DNS-over-HTTPS (DoH) is the epitome of privacy protection. But in reality it is not.
According to experts at cybersecurity, the DNS-over-HTTPS protocol causes more problems than it fixes and should not be promoted for any reason as a method of privacy. Instead, people should focus more on implementing better DNS traffic encryption, such as DNS-over-TLS.
DNS-over-HTTPS was created a few years ago and was proposed as an Internet standard last October (IETF RFC8484). It is already supported by Android and is scheduled to be released on both Mozilla Firefox as well as in Google Chrome.
DoH encrypts DNS queries, which are like normal HTTPS data traffic. These DoH queries are sent to dedicated DoH-resolved DNS servers — called DoH resolvers. They resolve the DNS query within a DoH request and respond to the user also in an encrypted manner.
This is why organizations that have DoH-enabled products advertise them as a way to prevent ISPs from tracking users' internet traffic and as a way to circumvent censorship in oppressive countries.
On the other hand, experts say that these Companies irresponsibly promoting an unfinished protocol that doesn't really protect users and causes more problems than it fixes, especially in the business sector.
DoH does not actually prevent ISP users from being identified.
DNS is not the only protocol involved in web browsing. There are still many other data points that service providers could track to find out where a user is going. Anyone who says that DoH is blocking ISPs from tracking users is to some extent a lie.
The DoH goes beyond business policies.
For businesses, DoH has been a nightmare ever since it was proposed. DoH creates a mechanism to replace DNS hosts and allows employees to use DoH to bypass any traffic filtering solutions based on DNS.
DNS-over-HTTPS weakens it cybersecurity.
Experts argue that when it protocol DNS is encrypted, an organization can no longer use DNS query data to find out if a user is trying to access a known malware domain, let alone block it. The advice is for companies to consider alternative methods of blocking outbound traffic, solutions that are not just based on DNS data.
The DoH helps criminals.
What is important about DoH is that it helps users bypass online censorship. The problem is that DNS-over-HTTPS also bypasses DNS-based blocklists that have been implemented for legitimate reasons, such as those against access to websites child abuse, terrorism content, and sites with stolen copyrighted material.
The general idea is that DNS-over-HTTPS is not what many people think. In fact, it does not protect users from spying. Businesses should invest in new ways of tracking and filtering data traffic, as the era of DNS-based systems seems to be ending. Such systems they already exist, but they are expensive and this is the main reason why many companies rely on DNS systems so far.