What I’m not getting here is: What supports DNS over HTTPS?
Because it’s not seemingly the OS (yet). Is there an application layer you install for DNS resolution, and then you point your DNS resolvers to localhost?
So is an SSL handshake. While someone snooping my traffic can’t see where I’m going on, say, PornHub, they can still see I’m going there. That’s all in the clear.
The security angle here seems specious at best. So, your ISP can’t easily hijack your DNS traffic (good… most ISP DNS servers suck) but they can still see everywhere you go. If you truly want to prevent your ISP from seeing where you’re going, you need a VPN.
Not at the OS level. So, changing your DNS settings to the 1.1.1.1 won’t encrypt your dns resolution. Unless I missed something? CoreDNS on linux, I guess? I’m primarily a Windows stack dev, and so that’s the thrust of my question: How do I utilize this in my ecosystem?, and it looks like the answer is “you can’t yet”.
In this context I think that is what ‘privacy protecting’ means. Certainly inconvenient for environments where privacy is neither desired nor supported and the security team keeps a close eye on things; but there aren’t a lot of options that make their use case easier without also being pretty easy to scale up and use against much larger sets of targets whose network traffic you have at least partial access to(the closest thing to a "works at work without compromising everything elsewhere is probably adding your pet CA as a trusted root on everything you control; but even that doesn’t play terribly nicely with pinning and any other workarounds for CAs being incompetent or shady).
The uses you describe are all things that would be shady if it weren’t for the fact that they are being done by the operators of the system to the system they are operating, with at least the “or you could not work here…” consent of the end users. How could you preserve the ability to exercise those functions without leaving people open to technically similar surveillance techniques by people they haven’t authorized?
Nope! Depending on the type of VPN, all traffic is usually either encapsulated into one TCP stream, or one IPSEC stream and sent to your VPN provider, encrypted. All your provider can see is those two streams.
On the other end, your VPN provider unrolls those streams and makes connections on your behalf (for example, to a DNS server). Someone monitoring your VPN endpoint can tell what port you are using, but not anyone before that. (and the person monitoring the endpoint would only know that it came from a VPN customer, not which one by traffic alone).
Likely not. They appear to be intercepting requests for DNS and redirecting them to their local server.
It doesn’t sound like we have a disagreement about the inherent tradeoffs involved; so I have to ask; was your focus on the things that it will make more inconvenient based on those being your problem day to day, so not something you want to see get even less fun; or a general position on the value of the pros and cons across the board?
Just an FYI, when you use Tor (I’m assuming that is the onion browser you are referring to) The DNS queries for the browsing you do get handled by the Tor exit node, and are not served by the resolver you set on your mac (1.1.1.1 or otherwise.)