Domain name systems (DNS) are one of the Internet's core technologies, but they are invisible to most users. They are a system that takes a URL like "www.foo.com" and turns it into the identifying numerical IP address that is needed to actually allow data transfer.
Most DNS activity is currently done by whomever the user has engaged as an Internet service provider (ISP). They maintain the servers and the lookup tables that do the translating between alphabetic and numeric.
However, there have been recent moves by Google and Cloudflare to bypass these ISP lookups by offering their own DNS resolver services.
To help in this effort, a transport protocol called DNS over HTTPS (DoH) has been developed so that one may securely ask DNS queries over HTTPS.
The DoH protocol uses HTTP and top level security (TLS) infrastructure to deliver encrypted and authenticated DNS answers that are very hard to block by network operators who are lower down on the hierarchical transmission ladder.
DOH is not perfect.
DoH shares the benefits as well as the downsides of HTTPS. It can send out more trackable and identifiable data than a regular DNS session, because HTTP supports things like headers and cookies. The session resumption characteristic of TLS can be a tracking mechanism too.
On the plus side, DOH makes it possible to push DNS answers out even before they have been asked. This could help the loading performance of a page. And the returned answers are encrypted and authenticated, as previously mentioned. That would stop anyone from hijacking a DNS name server.
DOH is what allows migration of DNS resolution to cloud entities, bypassing local system providers. If you are stuck in a location that censors what you may connect with, that may be seen as a positive aspect. If you do not trust your current DNS resolver, the protocol gives you a choice in whom you do trust to do your DNS resolution.
But -- and this is a big point -- even though the TLS connection that is set up by DOH is encrypted and private, the Server Name Indication (SNI) that is used in this connection is sent in plain text. That even happens in the latest TLS version, which is 1.3.
And this gives some users pause when thinking about how DOH may be used.
A plain text SNI can enable someone like Google to create a profile over time of websites visited. Google, when asked about this, has said that its goal is only to create a faster Internet, which allows for more use and hence more searches and thus more revenue for them. One must then trust that Google's viewpoint will not change over time, and they will not monetize this list of user behavior or perhaps block local ISP features such as ad blocking, which would interfere with their core business.
In the end, changing the way DNS is resolved will end up giving companies like Google even more control over a user's Internet experience. Whether a user is willing to trade avoidance of political censorship for commercial censorship is a tricky call.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.