DNS over HTTPS – or – Why is your ISP spying on you?

UPDATED: to reflect a newer version of the VPN list from Torrent Freak.

Or DoH has been in the news, because it turns out, your Internet Service Provider, or your Cellphone Carrier if you are using them, is spying on your internet access. Everything you do on the internet. Why aren’t you using a VPN? If you EVER do ANYTHING on a public WiFi, you should have a VPN that you trust. (Hint: You CANNOT trust a VPN that is Free. You also can’t trust all of them that you pay for. TorrentFreak is your friend.) A video version of the story is at this link: Security Now Episode 740. And the Show Notes are at this link.

Incidentally, you can bypass all of this nonsense on Android and iOS by downloading and running the app. (Available in both stores.) This is Cloudflare’s solution. And while that means you are trusting Cloudflare, Mozilla has done a credible job of vetting them, and will keep them on their toes. And they are certainly more trustworthy than Comcast, Verizon, et al. Note that is NOT a complete VPN. If you run a VPN (see the Torrent Freak link) this problem of your ISP spying on you is less of an issue.

DoH prevents the ISPs from doing some simple spying, which is why Comcast is so upset, they have to spread Fear, Uncertainty and Doubt all over the place. Six of the seven major web browsers are implementing DoH, it just isn’t on by default yet. Well as usual, it isn’t clear what Apple is doing, since they almost never answer questions.


Tom Lowenthal, Product Manager at Brave for Privacy & Security told ZDNet: “We absolutely want to implement it. Implementing DoH is far more than just the technical work, though. We need to decide on sensible and protective defaults for the vast majority of people who don’t think about their DNS configuration while making sure that we don’t break things for the people and organizations who have carefully tuned their setup.” Because Brave is built on top of the Chromium open-source browser codebase, DoH support is available. However, the Brave team has yet tweaked the feature so that it works exactly the way they wish. So DoH is already there in the codebase the way the Google Chrome team designed it to work, as we’ve previously described. DoH in Brave can be enabled at: brave://flags/#dns-over-https


As we know, Google Chrome is the second browser after Firefox to add DoH support. DoH isn’t yet enabled by default for everyone since Google is currently running a limited experiment with a small number of users to see how DoH fares in a real-world test. As we’ve noted, they take an adaptive approach, first honoring the user’s existing DNS provider to see whether it supports DoH and using it it possible. If not it follows various heuristic paths. DoH in Chrome can be enabled at: chrome://flags/#dns-over-https


A Microsoft spokesperson told ZDNet that they were supportive of DoH, but they couldn’t share their exact plans. However, like Brave, the soon-to-be-released Chromium-based version of Edge already supports DoH. DoH in Edge can be enabled at: edge://flags/#dns-over-https Additional thoughts, tips and tricks from an Edge developer are here: https://textslashplain.com/2019/11/06/thoughts-on-dns-over-https/


As we know, Firefox was the first out of the gate with DoH and took some undeserved, in my opinion, arrows in its back for simply standardizing upon Cloudflare as their DoH provider. No one took the time to understand how rigorously Mozilla vetted Cloudflare. And many people who don’t listen to this podcast might mistakenly believe that Cloudflare is just another CDN. But anyone who can erect a large wall of Lava Lamps and use their video images to generate true random numbers definitely stands out as an innovator. Which is what we know them to be. DoH can be enabled in Firefox through its Settings UI.


Opera has already rolled out DoH support. The feature is disabled by default for all users but it can be enabled at any time in the stable release, and it works without users going through any additional steps. The flip side of the “no additional steps” is that Opera has followed Firefox’s lead and simply routes all DoH traffic to Cloudflare’s DoH resolver. Users of Opera’s popular VPN should not, however, that the two are incompatible and the VPN must be disabled for DoH to work. On the other hand, if you’re using a VPN you already have a privacy-encrypting tunnel which zips right past your ISP or service provider, so DoH is not needed in VPN mode. DoH can be enabled in Opera at: opera://flags/opera-doh


ZDNet was unable to obtain any reply from Apple about Safari but ZDNet notes that since Apple has recently been investing in user privacy-focused features, the chances are good that DoH will eventually appear in Safari.


Being yet another Chromium-based browser, Vilvadi also works like Chrome. DoH can be enabled in Vivaldi at: vivaldi://flags/#dns-over-https