This setup does the opposite of what they're hoping to do, and is the exact reason that Tor implemented "Entry Guards".
If there is any pattern in the DNS queries you perform (e.g you visit certain sites regularly), then all of a sudden there are now going to be four additional organisations that know your browsing habbits, on top of your existing one (your ISP).
Imagine you go to pornhub.com every day. Your ISP knows that you're doing that today because of your DNS lookups, and they will still know that after the deployment of DOH and ESNI, because like millions of other websites, pornhub doesn't share their IP addresses. But now all of a sudden, you'll be telling cloudflare one day that you go to pornhub, google the next day, opendns the next day, and 42l the next day.
Why do people insist on increasing the number of organisations with access to their browsing history, in the name of privacy?
I agree that there is little gain in hiding DNS traffic from your ISP. And like you I'm wondering what the benefit of spreading around one's DNS profile should be. I think it's better to just pick the DNS provider one distrusts the least.
But once you use DoH using a private DNS proxy does in fact provide (some) protection because it detaches one's client address from the requests. Breaking this requires timing correlation or individual domain names for tracking.
Why set up a private DNS proxy when you can (arguable more easily) set up a private VPN, which protects all of your traffic instead? A quick "apt install unbound" on the VPN server will give you a private recursive DNS resolver which supports DNSSEC, and you'll be communicating with that over the VPN, so DoH gives you nothing...
So, what is the benefit of a private tunnel that maps uniquely to you?
Addendum: If it's about distrusting your ISP you gotta consider that you're just moving trust to another ISP or service provider (or worst case both, if they're separate entities).
You're just choosing another ISP to give your data to. In the end the VPN server will be somewhere connected to an ISP. I'm doing just that but I'm fully aware that I have to have at least some measure of trust in my own ISP, as opposed to Google, Cloudflare, or any other such entity.
If you set up your own private VPN and send all traffic over it, then you're choosing another ISP to give your data to yes.
If you set up a DoH proxy, and don't route the rest of your traffic through an encrypted tunnel to the same point, then you're choosing two ISPs to give your data to, instead of just the one.
> I agree that there is little gain in hiding DNS traffic from your ISP. And like you I'm wondering what the benefit of spreading around one's DNS profile should be. I think it's better to just pick the DNS provider one distrusts the least.
This assumes you trust your ISP. I know mine does metadata retention, therefore I do not trust them with my privacy. I also know mine blocks things based on a government "block list" which was implemented all in the name of stopping "serious criminals" such as pedophiles and terrorists.
However, in practice it's used for much more than that, of which does not constitute any criminality (news websites such as torrentfreak.com, that's because of corruption. The Minister for Communications https://en.wikipedia.org/wiki/George_Brandis that oversaw the implementation of this system was also the Minister for Arts and had heavy ties to the movie industry. He had a lot of collusion with Village Roadshow and Sony (evident by the leaked Sony emails) on this matter.
In other parts of the world I have heard that certain ISPs collect that data for marketing purposes.
> When you set up a private VPN to tunnel your traffic through, doesn't your VPN server just become your client? Or am I missing something here?
This is why I pipe everything through a VPN, that I trust more to protect my privacy than my ISP.
My DNS requests then go through to the DNS server on my VPN's network (it's in private address space), that recurses to Cloudflare. As far as those DNS providers are concerned "someone from that provider did a lookup for something", assuming that it isn't already cached.
The reason I use a VPN provider and don't run a VPN on my own server is because that would just link back to a server that is controlled by me, this way my network traffic is mixed with unrelated customers. For times when I need strong anonymity of course I use Tor. (Just before anyone points that out).
I have found issues in the past, particularly with EDNS subnet information not being available when accessing archive.is https://news.ycombinator.com/item?id=19828317 so that's why I have mine setup like so:
I believe this is the 'correct' way to ensure privacy. Essentially my network works like this:
VLAN2 -> direct to ISP via ppp0
VLAN3 -> through VPN via tun0
Local unbound server forwards everything into dnscrypt that first tries my VPN's DNS server, then tries to use DNSCrypt over the VPN
Regardless of which VLAN I am on, my DNS traffic is always sent through my VPN, https://www.dnsleaktest.com/ is a great site for testing that.
I tend to use VLAN2 for things like financial, or stuff where I do not want to be anonymous or cases that require extremely low latency such as gaming. In either case DNS lookups still go through the VPN.
If there is any pattern in the DNS queries you perform (e.g you visit certain sites regularly), then all of a sudden there are now going to be four additional organisations that know your browsing habbits, on top of your existing one (your ISP).
Imagine you go to pornhub.com every day. Your ISP knows that you're doing that today because of your DNS lookups, and they will still know that after the deployment of DOH and ESNI, because like millions of other websites, pornhub doesn't share their IP addresses. But now all of a sudden, you'll be telling cloudflare one day that you go to pornhub, google the next day, opendns the next day, and 42l the next day.
Why do people insist on increasing the number of organisations with access to their browsing history, in the name of privacy?
Don't set up or use this system.