Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>DoH also means breaking stuff like pihole and other ad filtering.

No, it doesn't.

e.g. I run DoH behind my home's dns cache server.

>its also kind of pointless if the state knows youre using it outside of a tunnel...they can just watch your next packets to see where you decided to go.

This is where HTTPS and eSNI further help.



> e.g. I run DoH behind my home's dns cache server.

I think GP is referring to the fact that apps can now bypass network / os wide dns stub / recursive resolvers undetected with DoH.

> This is where HTTPS and eSNI further help.

I believe TLS v1.3 specifically has anti-censorship and anti-surveillance properties baked in: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/


They could have had their own resolver before, or even hard coded IPs.

Using software that doesn't respect you is the problem.


Firewalls can redirect port 53 to another IP. That prevents things from hard coding to a specific IP.

https://forum.opnsense.org/index.php?topic=9245.0


Euh, it prevents a custom resolver sure, but hard-coded IPs bypass the need for DNS completely.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: