This is a disinformation campaign. DoH doesn't centralize DNS or DNS privacy. Anyone can run a DoH resolver server, and it'll do just as good a job as Cloud Flare's.
The people crusading against DoH favor a different centralized DNS standard, DoT. DoT is DoH with essentially one difference, which is that it runs on its own port, so that network operators can block it. There's a sprawling cottage industry of security and analytics products that rely on passive DNS analysis to function, and people who sell those products or operate networks that use them have a strong disincentive to block DoT and require users to speak standard, plaintext DNS to servers they can monitor.
Note however that once it's up and running, DoT is just as centralized as DoH is; it has to be, because it provides the exact same service model. Centralization and competition has nothing to do with their real concerns, or they'd be lobbying against DoT as well.
I can't say I'm especially fond of Firefox's decision to default to Cloud Flare for its DoH resolver, because I loathe Cloud Flare. Google Chrome does something more sensible: it won't change your DNS server at all, but will upgrade you to DoH if your nameservers support DoH. You should use nameservers that do, because DoH is valuable: if you're in the US, your ISP is almost certainly passively monitoring and recording your DNS queries, and you shouldn't let them. Personal feelings about Cloud Flare aside, you are better off with them than with your US ISP's DNS servers.
There's a strain of Unix sysadmin criticism against DoH that says it's wrong for browsers to co-opt DNS resolution at all, and that they should use the system's resolver. This is nonsense. First, almost no matter which browser you use, you should trust their DNS resolution code more than your operating system's; it will be more security-conscious and probably more performance-conscious code --- DNS resolution maintenance is the job you get on Microsoft or Apple's OS teams to punish you when you break the build. More importantly, as anyone who's ever had to mess around with libares will tell you, browsers have always needed better DNS resolution than libc offers, because they need fast async lookups.
There's another strain of criticism against DoH that Unix nerds won't see much of but which is probably even more important to be aware of: there have been hearings in Congress about how DoH threatens law enforcement by depriving them of intelligence for investigations. Ultimately, this is of a kind with the DoT vs. DoH argument: the people lobbying against DoH simply don't believe DNS lookups should be private. Another "tell" that you're reading one of these people is when they start talking about how DNS privacy doesn't provide complete or perfect privacy --- that you shouldn't care if your DNS lookups are being monitored, because you're leaking so much information elsewhere. This is bamboozlement. DoH privacy is extraordinarily low-effort, actually modernizes the DNS protocol in some ways, and addresses a threat millions of users are directly facing right now.
You should be wary of any outlet that promotes the meme that DoH is somehow shady.
> crusading against DoH favor a different centralized DNS standard, DoT
I think that there are 2 camps against DoH. 1. Default centralization to specific points. EG firefox using cloudflare first and foremost, nobody else. 2. DoH adding complexity. DoT was (practically) superseeded with DoH anyway, if for nothing more than adoption.
> criticism against DoH that says it's wrong for browsers to co-opt DNS resolution at all, and that they should use the system's resolver. This is nonsense.
So... your argument is that I can't trust the OS to 'do the right thing' but I should trust the browser, because they know best? If you can't trust the OS, then how could I possibly trust a browser running on the said, untrusted OS?
Honestly asking how you came to that conclusion because the train of trust is broken on the OS level, so anything above is moot.
> DoH simply don't believe DNS lookups should be private
Problem with DoH is that it is private up to the endpoint. Nobody can listen on the request, but nobody is preventing the endpoint from telling everyone else that 'Joe Smith visited Youtube at {timestamp} Once the endpoint has the request, they have your info and can just as easily sell that to telcos.
End-to-End encryption and privacy is only as good as the people on the other side. Can't trust Alice with your message, then don't send it.
> modernizes the DNS protocol
If by modernize you mean convolutes. If I have a resolver on my network serving qwer.localnet. Browser asks cloudflare, returns nxdomain, then my system resolver asks for it; that is far more latency and is far from the modern proper solution for speed and privacy. Cloudflare now knows that I have a local domain, qwer.localnet.
With respect to your OS versus your browser, you're using "trust" in a different way than I am. Obviously, you have to "trust" your OS in a strict engineering sense; if the kernel is compromised, nothing the browser can do will meaningfully mitigate that. That's not what I'm talking about. I'm saying I "trust" my browser developer to care more about DNS security than I "trust" my OS vendor, just like I "trust" Chrome's X.509 handling more than I "trust" the certificate validation code that ships on the OS. It's not that I think the OS developers are malicious; quite the opposite. I just believe, with some evidence, that they're not incentivized to adopt modern security mechanisms for those features.
My operating system ships with IPSEC VPN support. I'm not going to use it, even though I think highly of the poor souls tasked with maintaining it for Apple; I use WireGuard instead, because I trust Jason and, more importantly, Jason's incentives, more than I trust Apple. I certainly don't feel like I need permission from my OS (in the form of them formally adopting WireGuard) to do so.
With respect to endpoint security – I assume really what you mean is the security of the resolver server that you use, which can indeed monitor your DNS requests – yes! You do have to trust the DoH server with your requests. You should choose one that you do trust. But because your US ISP is already violating that trust flagrantly, you're almost better off with any off-network DoH server you can find. Really, if you're a stickler, you'll just run your own DoH server. You can't do worse than the status quo ante.
> There's a strain of Unix sysadmin criticism against DoH that says it's wrong for browsers to co-opt DNS resolution at all, and that they should use the system's resolver.
It's perfectly reasonable. I don't want each app maintaining its own config and having to gain in-depth understand of its custom solution when using another network. Just had that fun with gradle proxy settings in a global configuration file making downloads appear forever with no visible error message. Could have spend that quite a bit of time a lot more productive / enjoyable.
These kind of standards exist for a reason. The problem is Mozilla not having a way to distinguish an unaware user using the good old way from someone specifically preferring it. OS vendors could help, but relying on them doesn't seem like a good plan either.
It is not perfectly reasonable. Different applications have different requirements, and the applications running on my OS should not all be confined to the lowest common denominator of what the developer who broke the build and is stuck maintaining the DNS code decides to implement.
When the operating system provides performant DoH lookups for all applications, then sure, lobby your browser to use that code instead of their own.
This is vicious slander. Would the developer who merely broke the build get to write an entirely new system resolver implementation in C++ from scratch, get it into a major OS release and thus break stuff for zillions of users until the whole thing has to be rolled back, never to be seen again? I think not.
The people crusading against DoH favor a different centralized DNS standard, DoT. DoT is DoH with essentially one difference, which is that it runs on its own port, so that network operators can block it. There's a sprawling cottage industry of security and analytics products that rely on passive DNS analysis to function, and people who sell those products or operate networks that use them have a strong disincentive to block DoT and require users to speak standard, plaintext DNS to servers they can monitor.
Note however that once it's up and running, DoT is just as centralized as DoH is; it has to be, because it provides the exact same service model. Centralization and competition has nothing to do with their real concerns, or they'd be lobbying against DoT as well.
I can't say I'm especially fond of Firefox's decision to default to Cloud Flare for its DoH resolver, because I loathe Cloud Flare. Google Chrome does something more sensible: it won't change your DNS server at all, but will upgrade you to DoH if your nameservers support DoH. You should use nameservers that do, because DoH is valuable: if you're in the US, your ISP is almost certainly passively monitoring and recording your DNS queries, and you shouldn't let them. Personal feelings about Cloud Flare aside, you are better off with them than with your US ISP's DNS servers.
There's a strain of Unix sysadmin criticism against DoH that says it's wrong for browsers to co-opt DNS resolution at all, and that they should use the system's resolver. This is nonsense. First, almost no matter which browser you use, you should trust their DNS resolution code more than your operating system's; it will be more security-conscious and probably more performance-conscious code --- DNS resolution maintenance is the job you get on Microsoft or Apple's OS teams to punish you when you break the build. More importantly, as anyone who's ever had to mess around with libares will tell you, browsers have always needed better DNS resolution than libc offers, because they need fast async lookups.
There's another strain of criticism against DoH that Unix nerds won't see much of but which is probably even more important to be aware of: there have been hearings in Congress about how DoH threatens law enforcement by depriving them of intelligence for investigations. Ultimately, this is of a kind with the DoT vs. DoH argument: the people lobbying against DoH simply don't believe DNS lookups should be private. Another "tell" that you're reading one of these people is when they start talking about how DNS privacy doesn't provide complete or perfect privacy --- that you shouldn't care if your DNS lookups are being monitored, because you're leaking so much information elsewhere. This is bamboozlement. DoH privacy is extraordinarily low-effort, actually modernizes the DNS protocol in some ways, and addresses a threat millions of users are directly facing right now.
You should be wary of any outlet that promotes the meme that DoH is somehow shady.