DoH should be supported on the OS network stack, if needed.

I can’t understand this move. Firefox should retreat from this default.

Are Linux/Mac/Windows actually working on adding DoH to their network stack? I never heard anything regarding this.

And what would be the relationship to DHCP?

Not sure about Linux/Mac/Windows, but for OpenBSD, you can simply use unbound in base system to enable DoH (EDIT: No, it's not DoH, it's DoT) for everything in your system.

https://man.openbsd.org/unbound.conf

I don't think unbound supports DoH yet (the manpage you link doesn't mention it either). But AFAIK it does DoT.

EDIT: clearly shouldn't have used unexplained acronyms: DoH = DNS over HTTPS, DoT = DNS over TLS (which typically uses port 853)

Which is better, since it avoids ridiculously complicated web standards like HTTP2 for simple DNS lookups.

It sounds bad, but the fact that it can’t be blocked is important in terms of censorship.

DNS over TLS can be easily blocked by blocking port 853. To block DNS over HTTPS you need to block the entire HTTPS traffic.

If that's the concern, you can run a DNS server on port 443.

DOH also doesn't help much with censorship: If you look at traffic patterns, you can detect and block DOH servers pretty easily: look for small queries to a constant endpoint that come just before new connections.

“You” need to run port 443 DNS server. Instead we can make this mandatory for everyone.

Your explained method is nearly impossible to implement for medium to large scale networks.

Why? I can't imagine it'd make most flow inspecting firewalls and middleboxes break a sweat. If you want extra confirmation before banning, you can fire off a DNS query before killing the connection.

Hell, you can go even more trivial with barely any effort: for every new https connection to an unknown server, send a DNS query. If you get a response, block the IP.

HTTP adds nothing but complexity.

Oh no no no, it does add security.

Think DNS over TLS. Okay. You think $ip:$port is a dns connection. You send query with DoT protocol. You get answers. Bingo! It’s DNS.

If it’s DNS over HTTPS, you can’t tell. What domain(dns.quad9.net or cloudflare-dns.com or dns.google or whatever you can imagine) is it? What endpoint and method(/dns-query?url= or whatever you can imagine) is it? You can’t tell.

HTTP adds complexity. Complexity adds security.

If I can't tell, neither can the legitimate users. This makes queries that would out of the box rather hard.

And you still have the traffic patterns that will give you the information with sufficient confidence.

Why should legit users need to check whether a packet is to a dns server or not?

And blocking https packets with mere confidence is impossible.

Well, it's hard to get a DNS response when you aren't talking to a DNS server...

So, yeah, I can serve up DOH on my own server with a custom endpoint, custom client configuration, and generate cover traffic. But that's not exactly easy. And http doesn't help: I can do that without http, something like https://github.com/yrutschle/sslh, or using SNI (which, as of TLS 1.3, is encrypted).

And merely saying something is impossible doesn't make it so. It doesn't even make it hard.