erm, how do you mean? DoH and DoWG have essentially the same security properties, no? With authoritative servers only responding in the clear, you have to trust some egress provider. If I'm understanding it correctly, the only use case for DoH is for end users that don't have a remote box to trust with their egress.
Which certainly is a worthy segment. It just seems like any DIY network setup would be orthogonal to that. And so there's no point addressing DoH on your local network unless you're trying to mitigate DoH's effects on eg ad blocking.
US ISPs are currently, actively, aggressively manipulating DNS. People shouldn't trust their ISP DNS. If they run normal DNS to a third-party resolver, their ISPs still see their queries. If they use DoH, they can't. If they use WireGuard, their ISP sees even less of their traffic, but WireGuard is harder to set up than DoH, which your browser will do for you.
Sure, but the post I was responding to was detailing how to set up your own DoH server, which is not so trivial.
I suppose you could set up an Internet-facing DoH server, and then point their routers (dhcp servers) at your new DoH server, rather than heavy-configuring their premise routers to use wireguard. (Of course then you're installing your server as a point of failure, which is probably not what you want to do!)
I do DoH with pi hole and cloudflare (followed arch wiki for all of that) but I think it’s silly. You don’t know what I’m resolving but you still know what ips I’m visiting and can just look up their host names. What does it really do?
Makes sense. Thanks. Then I’m glad I’m using it! I fell into the arch wiki black hole and an hour later had pi hole, DoH and OpenVPN all configured so all my devices including my iPhone go through my home internet and the pi hole. Pretty neat. No ads while mobile. I did have to do tcp on 443 since udp and t mobile did not play nice together. I was too lazy to debug that though.
A fair chunk of internet content is hosted in the cloud. So while comcast knows exactly what IPs you are talking to they can't tell much else.
This prevents them from tracking your habits, selling that data, and creating or marketing competition. It also makes it harder to crippling the network for some specific competitor like youtube or netflix.
How else is Comcast going to hold it's users hostage so netflix has to pay extra to get the bits the customers paid to get?
The vast majority of relevant privacy-sensitive information is not IP addresses. The ISP can't read the full content of every page just from IP addresses.
I set up doh using dnscrypt-proxy the other day and it was easy. And as a bonus, I enabled logging, so now I can tell what domains are being looked up by my computer.
