https://www.schneier.com/blog/archives/2020/12/oblivious-dns-over-https.html
Oblivious DNS-over-HTTPS This[new protocol](https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-friendly-internet-protocol/), called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP. > Here’s how it works: ODoH wraps a layer of encryption around the DNS query > and passes it through a proxy server, which acts as a go-between the internet > user and the website they want to visit. Because the DNS query is encrypted, > the proxy can’t see what’s inside, but acts as a shield to prevent the DNS > resolver from seeing who sent the query to begin with. IETF[memo](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-02). The[paper](https://arxiv.org/pdf/2011.10121.pdf): > Abstract:The Domain Name System (DNS) is the foundation of a human-usable > Internet, responding to client queries for host-names with corresponding IP > addresses and records. Traditional DNS is also unencrypted, and leaks user > information to network operators. Recent efforts to secure DNS using DNS over > TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly > protecting traffic and hiding content from on-lookers. However, one of the > criticisms ofDoT and DoH is brought to bear by the small number of > large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers > can associate query contents with client identities in the form of IP > addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. > In this paper we ask what it would take to make ODoH practical? We describe > ODoH, a practical DNS protocol aimed at resolving this issue by both > protecting the client’s content and identity. We implement and deploy the > protocol, and perform measurements to show that ODoH has comparable > performance to protocols like DoH and DoT which are gaining widespread > adoption,while improving client privacy, making ODoH a practical privacy > enhancing replacement for the usage of DNS.
