Quick thought. If software wanted to, could they not, today, bypass your DNS resolvers anyways? Choosing to use DoH on software where you control the DNS resolution seems like an unambiguous win. FWIW, the Chromium implementation of DoH upgrading only upgrades you to DoH if your configured DNS provider is known to support it via a hardcoded list.

In theory, you could have Pihole resolve using a DoH resolver and your devices resolve using Pihole and have the best of everything.

(Disclaimer: Google employee, not working on ads or Chromium or DNS.)

Also in practice. It's one of the check-boxes in the pi-hole settings.

This is a fundamental flaw of content blocking based on host name. It often happens to work, but there's no rule that says that it has to, and really no good reason why it should be guaranteed to.

Isn't there a way to use pihole as your DNS server and let it use DoH?

That way you could do DNS to pihole, do the filtering and let it use DoH to the outside world.

>DoH also means breaking stuff like pihole and other ad filtering.

No, it doesn't.

e.g. I run DoH behind my home's dns cache server.

>its also kind of pointless if the state knows youre using it outside of a tunnel...they can just watch your next packets to see where you decided to go.

This is where HTTPS and eSNI further help.

> e.g. I run DoH behind my home's dns cache server.

I think GP is referring to the fact that apps can now bypass network / os wide dns stub / recursive resolvers undetected with DoH.

> This is where HTTPS and eSNI further help.

I believe TLS v1.3 specifically has anti-censorship and anti-surveillance properties baked in: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

They could have had their own resolver before, or even hard coded IPs.

Using software that doesn't respect you is the problem.

Firewalls can redirect port 53 to another IP. That prevents things from hard coding to a specific IP.

https://forum.opnsense.org/index.php?topic=9245.0

Euh, it prevents a custom resolver sure, but hard-coded IPs bypass the need for DNS completely.

> cloudflare who have censored content numerous times in the past

Besides Stormfront[0], what else did they censor?

[0] https://en.wikipedia.org/wiki/Stormfront_%28website%29

I wouldn't call that censoring either. They just rejected to provide any services for them.

Indeed, "deplatforming" isn't equivalent to "censoring".

8chan

pihole is a short term solution; it is the wrong long term one - it only works as these holes exist. blocking needs to be done in the browser, or your computer to be done more securely

Pi-hole helps for network devices where blocking on the device isn't possible. Examples in my household are the TV, which tries to connect to an obvious telemetry address, all my sonos devices (love em, hate em) the nest device, and the apps on all phones. I struggled to block those until the pi-hole made it easy.