On Tue, Oct 1, 2019 at 8:22 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Tue, Oct 01, 2019 at 12:11:32PM +0200,
 Jeroen Massar <jeroen@massar.ch> wrote
 a message of 101 lines which said:

>  - Using a centralized/forced-upon DNS service (be that over DoT/DoH
>  or even plain old Do53

Yes, but people using a public DNS resolver (of a big US corporation)
over UDP is quite an old thing and nobody complained. I really wonder
why there was so little reaction against OpenDNS or Google Public DNS
and suddently a lot of outcry against DoH...

Mainly because no one was ever forcibly-defaulted to those, while browser makers are now going to be defaulting to sending queries to a specific set of DoH servers not set by dhcp/etc locally, but rather chosen by the browser maker, in a way that most users won't even realize/notice, hence allowing the browser maker to determine who gets to see the queries the user is making while surfing the web in that browser. This is a major change from how browsers and other applications have historically behaved, where DNS servers were set either locally on the host, or via dhcp or somesuch at the LAN level. This change will almost certainly be made without the user explicitly consenting to it. 

Effectively, there is no outcry against DoH. There is outcry against how some browser makers are implementing some configuration changes. It wouldn't matter what protocol they were using, even if they simply skipped local/LAN resolver configs and went straight to udp/tcp 53 on their chosen servers for recursive queries. 

Browser makers rule the world in a number of ways already, like choosing which TLS root certificates to include, and setting default search engines and settings (sometimes on update, even overriding explicit user settings, as was the case when Firefox switched to a paid arrangement with Yahoo.) There's a lot of potential for abuse here, and so oversight in the form of "outcry" seems entirely justified when such changes occur.