On Mon, 9 Sep 2019 00:38:03 +0200, Adam Borowski <kilob...@angband.pl> wrote: >With local DNS: >* the target server knows about you (duh!) >* the ISP can read the destination of every connection > [reading the DNS packets, reading the IP header, reading SNI header] >* the ISP can block such connections > [blocking DNS packets, blocking actual connection] >* DNSSEC forbids falsifying DNS > >With DoH: >* the target server knows about you (duh!) >* the ISP can read the destination of every connection > [reading the IP header, reading SNI header] >* the ISP can block such connections > [blocking actual connection] >* Cloudflare can read the destination of every connection > [they serve the DNS...] >* Cloudflare can falsify DNS¹ >* Cloudflare can block connections > [blocking or falsifying DNS response] > >So currently DoH is strictly worse.
Will DOH break corporate web apps that are accessed over a VPN (and thus only resolvable via the local resolver)? Or has Mozilla catered for that? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
