No, DoH only deals with client to resolver encryption. Recursive lookups from th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		topranks on April 10, 2019 \| parent \| context \| favorite \| on: DNS-over-HTTPS Policy Requirements for Resolvers No, DoH only deals with client to resolver encryption. Recursive lookups from the resolver to authoritative DNS servers from the root down are not encrypted. Really what you are doing is switching between telling your ISP all the domains you look up to telling Google/Cloudflare. Except your ISP can still see SNIs so you’re really just telling Google/Cloudflare in addition to your ISP.

_ytji on April 11, 2019 [–]

Seems all for not :|

I don't suppose there are any proposals to replace how SNIs are transmitted? (sans-vpn/tor, that is)

Does QUIC/HTTP[23] do anything different?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact