very nice options sir!! I have long since degoogleized all my search engines and am well aware using google dns means all my requests will go to china. I only use them for a quick and dirty solution when needed, which I shouldn’t.
It’s good to have options! Thanks again!
Glad I’m not an enterprise, though technically I expect we all are…
Thanks for that article. Ironically my heavy handed custom + third party DNS blocklists kill all attempts to connect to AT; there must be too many tracking/fingerprinting attempts somewhere in their setup.
I use CroxyProxy.net for such ‘one off’/suspect sites. It ain’t perfect but it usually gets me what I need.
The reason: device-enabled DoH bypasses network defenses such as DNS inspection, which monitors domain lookups and IP address responses for signs of malicious activity.
Heh; the NSA calls it a problem; I call it the primary attraction of that solution.
There are other risks as well. For instance, when an end-user device with DoH enabled tries to connect to a domain inside the enterprise network, it will first send a DNS query to the external DoH resolver.
That doesn’t seem to be true in the case of GL GUI/OpenWrt using dnsmasq (the underlying process behind DHCP & DNS fowarding) when forwarding to dnscrypt-proxy2 (the process handling DOT/DOH/DNSCrypt). YMMV.
opkg update && opkg install htop && htop ; you’ll the processes I mention (grab the nano editor while you’re at it).
The TL;DR of that article is that the Coropos, Big Brother types (Glowies I believe they’re also known as, no?) don’t like DOH because they can’t easily control it/lock it down.
… so you can see why I like it so. F 'em.#SnowdenWasRight