You're right to be suspicious. The DNS-over-HTTPS model favors those who run the servers (because they get exclusive access to monetizable end user name resolution data) and those who control the resolvers.
You might control the resolver on your personal computer (for now). You probably don't control it on your phone. You most likely won't control it on your embedded devices.
The root evil here is that you can't change the root certificates in such devices. Even if you controlled its DNS, the device could still just be programmed to fail if it doesn't reach its analytics/ad/whatever server.
The IKEA Tradfri "smart" lighting gateway will stop responding to commands if it can't phone home to some IKEA server. I noticed this when I changed my router to use NextDNS, which blocked the IKEA lookups. I was ready to return the device as broken until I realized this. I've also had issues with Bang & Olufsen speakers in the past, and inclined to believe it's for the same reasons.
I think it's insane that devices can effectively be bricked if they can't phone home. It's nothing short of waste, and I think environmental legislation should require device manufacturers to supply ways of disabling or overriding these mechanisms such that devices can continue to operate regardless of whether home servers are blocked or otherwise out of reach, e.g. company goes belly up, censorship etc.
I tend to cut DJI a break, because customer (non-)compliance with no-fly zones is a class-1 existential threat to their business selling consumer drones. Pinging DJI servers to check for altitude restrictions at every power-up cycle is intrusive, but I honestly don't see that they have much choice.
When I installed PiHole a few years back I blocked my tradfri gateway from connecting to Ikea's servers and everything kept working! I wonder if something has changed since then? Ikea devices are kind of nice because they don't actually rely on the internet at all and work completely locally (at least, they did a few years back).
All I can say is when I had NextDNS configured on my router it blocked requests to some IKEA domain, possibly smetrics.ikea.com from a cursory search through he logs, and my Tradfri gateway would just straight stop responding to anything at that point. I googled around for a while and found other people having issues with DHCP and QoS with Tradfri gateways, so I made sure it had a static IP set as well as all QoS “features” being disabled, but this didn’t help. It would work at first, for some period of time (30 min maybe?) and then stop responding. Once I saw the blocked DNS lookups I disabled NextDNS on the router and flushed any caches on the router, rebooted everything and it’s worked fine now for a good month or so.
I will admit I haven’t done any further investigation, but simply concluded that the gateway at some point started phoning home and if it didn’t receive a response went into some catatonic state. Maybe I’ll dig deeper at some point, time permitting.
You can go back from network settings back to settings or something like this. just poke around.
Discovered it when comcast went down for 4 days and wanted to run kodi on firetv
Amazon also tends to hide options until you "try" connecting to your network. My device refused to work without internet until I "tried" connecting to my network using an incorrect password. When I did that and the device failed, an option to skip network setup appeared. In small font at the bottom of the screen, of course.
I still prefer DoH giving "exclusive" access to resolvers, because the alternative is sending that data in plaintext for everyone along the path to read?
If your ISP is large enough it is only sent to ISP's name server which probably has everything you need cached, and if it isn't it might blend in with other queries. And your ISP can sniff SNI or guess target domains from target IPs already.
> The DNS-over-HTTPS model favors those who run the servers (because they get exclusive access to monetizable end user name resolution data)
Hold up. You are claiming that the fact that DoH prevents DNS requests from being visible in cleartext network traffic is a bad thing?
...what? In a world where the choice is between one party (the DNS provider) having access to my DNS requests and everyone on the network including my DNS provider having access to my DNS requests, I'll choose "DNS provider having exclusive access" every single time.
Hold up. You are claiming that the fact that DoH prevents DNS requests from being visible in cleartext network traffic is a bad thing?
It is when its my network. If they cared about people sniffing they would use DNSSEC, but still use the network DNS server. DNS over HTTPS is just a way for shady companies to hide what they're doing.
I believe that Google pushed DoH to track your cross-site browsing. TLS hides your URL, and blockers can break adsense tracking and/or any other call-home backlinks.
Using DoH, especially one served by an advert company is just signing up to be their open book.
Chrome didn't change the resolver, though. It just enables DoH if it's on a whitelist of known DoH-capable resolvers. It doesn't send your data to Google unless you already used Google's DNS.
You might control the resolver on your personal computer (for now). You probably don't control it on your phone. You most likely won't control it on your embedded devices.