Coming to USA Firefox now:DoH:
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/Advantages and disadvantages. See Client Support:
https://en.wikipedia.org/wiki/DNS_over_HTTPSThis all to battle against abuse of unencrypted DNS request connections.
Why this is not such a good idea for end-users:1) Concentrating all DoH requests with a small group of external players (like CloudFlare, Google) will mean an enhanced privacy risk for a large number of Internet-users, because mentioned players will exactly know for a great numer of Internet-users when and what websites they visit. Censorship and downgrading of certain websites is not unthinkable. From a privacy viewpoint it would be a goiod thing one could have many more DoH providers to choose from, but then blacklisting will be more of a problem, because;
2) Local DNS-logging does no longer take place at firm-level. Of-course such logging means an enhanced risk, but it will enable you to detect compromitted devices within your network;
3) DoH will raise demand for TLS-interception considerably and the risks therof outbalance overall profit.
(info credits: Erik van Straaten).
Using Pi-hole in such a setting makes you dependant on just one single DOH-provider. What about virtual hosts on one IP address.
But "DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver".
Mozilla just thinks to comply with the following contract: In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information.
To mitigate this risk, our partners are contractually bound to adhere to this policy. (does not just only apply to Cloudflare's)
Source:
https://support.mozilla.org/en-US/kb/firefox-dns-over-httpsWhenever you are used to non-existing Interwebz-privacy this is not a big thing, remember only that it only furthers the monopoly status of the big players, like we have Google, CloudFlare,
So again less to choose from, or use: Intra — an Android application by Jigsaw to route your DNS queries to a DNS-over-HTTPS server of your choice, re:
https://play.google.com/store/apps/details?id=app.intrapolonus (volunteer 3rd party cold recon website security analyst and website error-hunter)