It's very easy to intercept, monitor and redirect. Which is what we think Comcast is doing.
DNS-over-TLS encapsulate the DNS traffic in a TCP connection with TLS. In other words, all request are encrypted and it's impossible (without installing root cert and MITM) to know what site you're consulting.
DNS-over-HTTPS decide to recreate the protocol as either JSON or dns-message (binary protocol akin to the original DNS protocol) and use an HTTPS request (with HTTP2 minimum and TLS 1.2/1.3).
Different way to achieve the same idea, encrypt your DNS data, the site you visit, only here to also make Comcast think you're consulting a normal website securely.
You're not redirecting all your traffic to a trusted source, just the DNS traffic. Moreover, you can easily setup your own DNS Encryption service or choose a provider you trust.
But Comcast would still know what IP address you are communicating with.. isn't that going to tell them 99% of the time where you are going still?
I mean right now, I do a DNS lookup for news.ycombinator.com and I see 209.216.230.240 .. I'm refreshing the site and that is the address I'm communicating with. Granted you can have multiple DNS assigned to the same IP.. but that's not going to do a whole lot, right?
What's to stop comcast from just using their ip->dns lookup table to do basically what they are doing now? Yeah it gives them a slightly less clear picture.. but almost the same?
One thing they tend to do is when one tries to go to a site that does not exist, they instead serve up a 'search' page with their ad links and other unrelated junk. Perhaps they don't want to lose the ad revenue from hijacking their user searches?
Say you are large ISP and you want to maximize profit. If you can track who your users are connecting to you can then start degrading their network connection and the target to pay for a better connection.
Comcast was doing this, people noticed much better latency/bandwidth if they used a VPN so that Comcast couldn't tell they were communicating with netflix.
So now with encrypted DNS a user looks up netflix.com:
"bill@kona:~$ dig +short netflix.com | head -1"
gets you 52.37.69.124
But they just see encrypted packets. They can of course do a reverse lookup on the IP and:
"bill@kona:~$ dig +short -x 52.37.69.124" gets you
ec2-52-37-69-124.us-west-2.compute.amazonaws.com.
Is that a webcam watching an eagles nest? One of a zillion video streaming services? Is it a users cat monitoring webcam proxied through a random webcam provider? Someone hosting their plex server on amazon?
Without being able to see the DNS records it becomes much harder to track, market, and muck with a users traffic.
Comcast could of course make everyone's network connection worse (not just netflix), but then people would complain that they are paying for a high speed internet connection (not just a connection to comcast services) and not getting it.
More and more website rely on CDN. Which mean, more and more website share the same IP. This is how CloudFlare works. They proxy the full traffic through their server to your server.
If you can't have the host/DNS request, you won't be able to know what website is visited.
This is absolutely not how it works. CDNs, and Cloudflare in particular, have lots and lots of IP addresses and don't share the same one with all the websites, instead they shard websites to IP addresses, so each website sticks to specific IP address. The reasoning behind this is usually all the legal risks, blocking risks, etc. For example, if some government wants to censor a website they are going to lookup its IP address and block it, if the website jumps across many IP addresses they may block all the subnets those addresses belong to, so they can cover all possibilities, which is going to censor lots of other websites on those subnets and make CDN pretty useless as a CDN.
Anyway, such approaches in combination with all the IP addresses of subresources each website links to can identify 95% of top 1 million websites, more than 95% if response sizes are taken into account. No amount of silly encryption toys like DoH, eSNI and TLS 1.3 can protect against it. You need some serious privacy technology to address the problem, like decentralized peer-to-peer overlay networks.
It's very easy to intercept, monitor and redirect. Which is what we think Comcast is doing.
DNS-over-TLS encapsulate the DNS traffic in a TCP connection with TLS. In other words, all request are encrypted and it's impossible (without installing root cert and MITM) to know what site you're consulting.
DNS-over-HTTPS decide to recreate the protocol as either JSON or dns-message (binary protocol akin to the original DNS protocol) and use an HTTPS request (with HTTP2 minimum and TLS 1.2/1.3).
Different way to achieve the same idea, encrypt your DNS data, the site you visit, only here to also make Comcast think you're consulting a normal website securely.
You're not redirecting all your traffic to a trusted source, just the DNS traffic. Moreover, you can easily setup your own DNS Encryption service or choose a provider you trust.