Everybody should be using DNS over HTTPS (DoH) or over TLS (DoT) nowadays. Clear DNS is way too easy to subvert and even when it’s not being tampered with most ISP snoop on it to compile statistics about what their customers visit.
DoH and DoT aren’t a full-proof solution though. HTTPS connections still leak domain names when the target server doesn’t use Encrypted Hello (ECH) and you need to be using DoH for ECH to work.
Even if all that is in place, a determined ISP, workplace or state actor can identify DoH/DoT servers and compile block lists, perform deep packet inspection to detect such connections regardless of server, or set up their own honey trap servers.
There’s also the negative side of DoH/DoT, when appliances and IoT devices on your network use it to bypass your control over your LAN.
How would they do DPI on DNS packets routed using DoH? It looks like HTTPS traffic, it’s encrypted, and other than size and frequency I don’t see how they can gey anything out of it. Yeah they’ll get the SNI with eCH but that’s supported by FF and by a lot of providers using DoH
A brief technical summary from iMAP reveals what happens when users attempt to access sites using Cloudflare and Google DNS.
• On Maxis, DNS queries to Google Public DNS (8.8.8.8) servers are being automatically redirected to Maxis ISP DNS Servers;
**
• On Time, DNS queries to both Google Public DNS (8.8.8.8) and Cloudflare Public DNS (1.1.1.1) are being automatically redirected to Time ISP DNS servers.
“Instead of the intended Google and Cloudflare servers, users are being served results from ISP DNS servers. In addition to MCMC blocked websites, other addresses returned from ISP DNS servers can also differ from those returned by Google and Cloudflare,” iMAP warns.
…
"Users that are affected, can configure their browser settings to enable DNS over HTTPS to secure their DNS lookups by using direct encrypted connection to private or public trusted DNS servers. This will also bypass transparent DNS proxy interference and provide warning of interference,” iMAP concludes.
Essentially Malaysia law required ISP to drop DNS entries for some sites, local users started using public DNS. ISP started redirecting public DNS requests, and local users started using DNS over HTTPS.
The pirate wars continue in their arms races.
This is why technologies like DoH and DoT are needed. To prevent this kind of tampering.
What’s the “best practices” for DNS these days besides running your own local service?
Just use your VPN provider’s DNS.
NextDNS
Will be blocked just as well. These users need encrypted DNS, and honestly, not just them but everyone else too because of ISP tracking. dnscrypt or DoH is the solution.
Wouldn’t a VPN still work? VPN+NextDNS would do the job.
Hope Proton comes up with a good encrypted DNS service however.
Yes, that should work too