There was a good chunk of time where my ISP (Verizon FIOS at the time) was having some kind of DNS hijacking attack happening where many CDN IPs were being replaced with an IP of a server that was adding some ad-injecting javascript into many pages (and god knows what else, I still have the payload laying around somewhere as I saved it for future curiosity).
At the time my only real recourse was to pump my whole house through a VPN, as even Google's DNS (8.8.8.8) was being hijacked, but ONLY when it was coming from my home IP. (Full disclosure, i'm not very well versed in the networking stack. I know enough to get myself in trouble, but not much more. This was what I understood to be happening, but I could be way off base. However it was happening on multiple devices, multiple OSs, multiple verizon IPs, multiple DNS servers, both with and without a router, and would stop instantly if any of those machines were pointed at a wireless hotspot, or a VPN was turned on. At one point I even sent my router's WAN connection through my phone's hotspot and the problem went away)
After talking with verizon many times and each time having to spend an hour or so trying to get through to someone that knew even remotely what I was talking about, all they were able to do was reset my IP, which fixed nothing.
Now that DNS-over-HTTPS is becoming more common, i'm going to use it everywhere I can. Yes, DNSSEC might be a "better" solution, but I can use DoH right now to protect myself on all sites and (hopefully soon) all devices.
Just the other day I discovered Intra [0] a (still unreleased) app by Google for android which has your whole android phone use DNS-over-HTTPS.
I've been running it the last few days and i'm quite pleased with it. Does anyone know of a way to force all DNS queries in windows to use DoH?
[0] https://play.google.com/store/apps/details?id=app.intra&hl=e...
> Does anyone know of a way to force all DNS queries in windows to use DoH?
I think you could use pi-hole to do this. https://docs.pi-hole.net/guides/dns-over-https/
Thanks a ton, this looks fantastic! Do you know if it's possible to setup Pihole to use this (and possibly other features) but not do any adblocking?
The documentation is not great / accurate but with a bit of fiddling I have it running as a systemd service (launchctl on MacOS). I'm using the /metrics endpoint to get details in Prometheus on the stats.