Trade associations
Understanding the overall benefit of using encryption for DNS traffic, the associations consider it unacceptable to concentrate control over name resolution in one hand and link this mechanism by default to centralized DNS services. In particular, it is argued that Google is moving towards introducing DoH by default in Android and Chrome, which, if tied to Google servers, would break the decentralized nature of the DNS infrastructure and create a single point of failure.
Since Chrome and Android dominate the market, if they impose their DoH servers, Google will be able to control the majority of user DNS query flows. In addition to reducing the reliability of the infrastructure, such a move would also give Google an unfair advantage over competitors, since the company would receive additional information about user actions, which could be used to track user activity and select relevant advertising.
DoH can also disrupt areas such as parental control systems, access to internal namespaces in enterprise systems, routing in content delivery optimization systems, and compliance with court orders against the distribution of illegal content and exploitation of minors. DNS spoofing is also often used to redirect users to a page with information about the end of funds at the subscriber or to log into a wireless network.
Google company
Let us recall that DoH can be useful for preventing leaks of information about the requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace a VPN in the area of ββbypassing blocking implemented at the DPI level) or for organizing work if it is impossible to directly access DNS servers (for example, when working through a proxy).
If in a normal situation DNS requests are directly sent to DNS servers defined in the system configuration, then in the case of DoH, the request to determine the hostβs IP address is encapsulated in HTTPS traffic and sent to the HTTP server, where the resolver processes requests via the Web API. The existing DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests. Currently about
Source: opennet.ru