The reality is that DNS over TLS is a rarity and most users are stuck with poorly operated, unencrypted DNS servers both at work and at home. That's not secure and the lack of privacy is often intentional or even local policy. A lot of operators actually earn some money on the side selling data to advertisers. And they are also more than happy to give local authorities access to that data. Same in companies where your boss likes to know what his minions are looking at in their browsers. These issues are not hypothetical, they are real and the vast majority of users is exposed to this poor status quo.

DNS over HTTPS solves that problem right now by simply bypassing all those poorly configured DNS services. Nothing wrong with that. Why wait for something that might never happen and that is dependent on the cooperation of companies that are clearly not in a hurry to do so when you can go straight to a secure and private by default situation right now? If you have a nice trusted TLS DNS server, use it of course. If not, consider using DOH.

I recently had to figure out why my browser was so slow and then I realized I had not turned DNS over HTTPS on yet (new laptop) and all the DNS requests were taking hundreds of milliseconds. Enough for me to notice and be annoyed by it. That's how bad things are for real users right now. O2's DNS server is not great and they are definitely doing everything they legally can to monetize whatever happens on their servers. They probably also hand over server logs to anyone who asks nicely. So thanks, but no thanks.

So, I turned on DNS over HTTPS and problem solved. And I feel a lot better not broadcasting my browsing behavior to O2 and the various companies they sell my data to. And that's when I'm at home. I also use my laptop and phone in coffee shops, hotels, and via public wifi's, different operators in different countries, companies/customers I visit, etc. DNS over TLS is not an option there. DOH is.

What advantage do you see of DoT over DoH other than that it's easier to block at the network level? If you want to block other people's computers from using DoT or DoH, then you're the adversary that they're meant to protect us from.

>What advantage do you see of DoT over DoH other than that it's easier to block at the network level? If you want to block other people's computers from using DoT or DoH, then you're the adversary that they're meant to protect us from.

Not GP, but I don't want to block other people's computers. I'm only concerned with my computers. And when one of them gets uppity and tries to bypass the policies on my network, it needs to be smacked down. Hard.

As for anyone else's devices? Have at it. Do whatever you want. But my devices on my network will abide by my policies.

That may make you wonder if I'm going to try and steal your DNS requests. But don't worry, I won't invite you into my home.

> That may make you wonder if I'm going to try and steal your DNS requests. But don't worry, I won't invite you into my home.

The problem isn't guests using your house's network. The problem is that if there's a way for you to network-level block DoH at your own house, then nothing is stopping Comcast or China from implementing the same network-level block.

>The problem isn't guests using your house's network. The problem is that if there's a way for you to network-level block DoH at your own house, then nothing is stopping Comcast or China from implementing the same network-level block.

Fair enough.

But I'd posit that you can't prevent a bad actor who controls your network access from doing whatever the hell they please with/on your traffic, whether you use DoH or not[0].

[0] cf. Transparent TLS proxies ( https://en.wikipedia.org/wiki/TLS_termination_proxy )

Edit: Changed prose to actually make sense.

Running a TLS termination proxy would break everything unless they convinced the users to accept their root certificate, so even the most evil ISPs generally don't do that.