DoH improves privacy, and security. It uses encryption, but does not enhance encryption. It’s confusing, so hold the thought, and we’ll come right back at the very end.
The Domain Name System is the Internet’s post-box.
Except, it works a lot like kids in college, and that’s where the trouble starts. Imagine being 16 and overly infatuated with a batch-mate. Let’s call him/her X. You’re dying to call X, but you don’t have his/her number. What do you do? You ask your good friend Alice, who pinky promises never to tell anyone ever about this love interest of yours, to get that number. Alice, being the good friend she is, asks her best friend (now, that’s how BFFs work in college, right?), Charlie, to get that number for you. And Charlie asks his BFF to get that number for you, and so on. Somehow after a lot of whatsapping, at the end of the day, you do get that number, and you are so giddy that you forget about Alice, and Charlie, and the whole wide world.
Trouble starts when Charlie rings you up and asks you, so hey, how’d your date with X go? You realize that there’s an entire chain of Charlies who know you were desperate to get X’s number. Your privacy just went for a toss. You say, but hey that’s okay, at least they don’t know X turned out to be a jerk, and you are over men forever. Though, really, what happened was you didn’t get the real X’s number, because someone in that long line of Charlies decided to be a smart-ass and gave you their school-dropout, drug-addled second-cousin’s number, just to screw with you. That’s where your security went for a toss.
Bitter, and battle-weary, you decide never, ever to let this happen. To anyone else. Ever. And that you will be the only one anybody ever needs to reach out to – when they want a number. You become, in effect, the Trusted Recursive Resolver.
While that’s all nice and dandy, what you can’t fix is when I make the call, after you’ve given me the number, my stupid, nosy phone service provider still gets to know that I called X up. And my privacy, is still at their mercy. The same thing happens with your ISP – they get to know you are trying to connect to a website (from the IP the DNS gave you, and before you’ve even shared any data with the site). That’s something that TRR can’t fix.
Over time, as more and more people start depending on you, you grow more and more powerful. A point comes where the Internet, the decentralized internet as we know it today stops to exist. And that’s why a lot of people don’t like DoH.
Is there something else that you can do to encrypt your DNS requests? Absolutely. Use DNS over Tor. Want to go fancier? Hell yeah, go, get yourself some of that goodness that is DNS over HTTPS over Tor.