Maybe I will also add my own comment.
A possibly good idea but very wrong approach
DoH and DoT (DNS over TLS) are in general good technologies as they add encryption to an important process of daily life. However the approach Mozilla takes is simply wrong. The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!
DoT actually is in the operating system, as our DNS page says:
- DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:
- Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS.
- Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.
if you are running a encrypted DNS server, dnscrypt-proxy 2.0.26+ blocks Firefox from automatically enabling DNS-over-HTTPS and Unbound users can
local-zone: "use-application-dns.net." always_nxdomain (it only stops Firefox autoconfiguration, not user enabling it by hand). See also
I tried it and realized I have to trust both my VPN provider and Cloudflare not to log instead of just my VPN provider.