If DNS-based access control is not sufficient on it's own, then is it really worth it to block DoH (which could have other significant security and privacy benefits) just to retain the possibility of using it? Why not focus on improving those other, already necessary access control technologies and forget about abusing DNS for this purpose, so we get the best of both worlds?
Because I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.
Also, I disagree that denying the lookup of certain domain names is abusing DNS. If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.
Also, I'm not aware of a method that can accomplish the sort of coverage that blocking DNS lookups can. If you have an alternative, I'd be genuinely interested in hearing about it.
> I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.
Agreed with you there, I'm not saying that multilayered security is a bad thing.
What I'm saying is that right now, in terms of easy and accessible DNS privacy, we have 0 layers. Don't you think it might be worth sacrificing this one partial, incomplete access control solution in favour of solving that?
> If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.
Without cooperation of the device, that is indistinguishable from that of a bad actor.
You can get what you want by owning the device and requiring it to cooperate (ie with controlled software or a certificate to allow monitoring / blocking).
