DNS isn't encrypted. Anyone passing your DNS queries between you and your DNS provider can inspect them.
DoH or DoT would allow your upstream DNS provider to see your queries, but anyone passing them around wouldn't see the content of the queries.
Comcast won't be able to read those queries if they're encrypted via DoH, and part of their business model involves spying on their customers' queries and selling the data.
Thank you, however I still don't understand how it works from what you said. What is an "upstream DNS provider" in this context?
I'm just not seeing how Comcast can't still know where you going, since obviously you are routing your traffic through them and they see the IP address; how is the IP not giving them enough information to figure out where you are going? Is encrypted DNS only going to work for a handful of sites running in some special way, or is this supposed to work for everything?
> What is an "upstream DNS provider" in this context?
This would be your DoH provider. You can have layers of caching and DNS servers on your machine and network, but DNS queries ultimately have to go a foreign DNS provider.
> I'm just not seeing how Comcast can't still know where you going
If your connections aren't encrypted, or you only access servers with static IP addresses, then Comcast will be able to know where you're going.
Modern web applications have many layers of indirection, and you can't always correlate accessed IP addresses with the service the user is using.
As an example, consider a site that uses HTTPS and is proxied with Cloudflare. To Comcast, you're sending encrypted bytes to an IP address that doesn't identify the site, it's just Cloudflare. With unencrypted DNS, Comcast can just look at your DNS queries and determine the sites you're visiting. With encrypted DNS, Comcast sees that you connected to your DNS provider and Cloudflare, which isn't exactly valuable.
> With encrypted DNS, Comcast sees that you connected to your DNS provider and Cloudflare, which isn't exactly valuable.
Comcast also sees SNI in plain text, sees all the other connections to other IPs for 3rd party resources on that domain, also with SNI, and sizes of all the responses of course. And just the IP addresses and response sizes give enough information to figure out what domain is visited, never mind seeing it in plain text in SNI.
Has DNS yet removed the possibility of an ISP front-running replies for outside DNS? For example, you want to see HN, but Comcast would rather you see HN through their ad-injecting proxy - their systems can see your DNS query and reply with the proxy.
Seems like encryption and signing would help here as well.
Fixed is much too strong a word. Mitigated is more descriptive. From your link:
> This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names.
Nah, they'd be able to use a much more surgical approach because they wouldn't need to guess the txid. They can just spool off packets that match what they're looking for and respond to them themselves instead of sending them along to 8.8.8.8 or whoever.
DoH or DoT would allow your upstream DNS provider to see your queries, but anyone passing them around wouldn't see the content of the queries.
Comcast won't be able to read those queries if they're encrypted via DoH, and part of their business model involves spying on their customers' queries and selling the data.
DoH has nothing to do with proxying.