DoH and VPNs and trust

We live in a strange world - where trust is a complex issue.

Once upon a time we would all trust the "authorities", i.e. the police and our own governments, but increasingly we live in a world where a lot of people have good reason (not criminal reasons, even) not to trust people.

The Internet is an especially complicated area where international players of all sorts come in to play, with commercial and political and criminal reasons to cause you concern.

The Internet protocols have been built on a lot of trust, but now we see some new mechanisms to help, two of these being DoH and VPNs.


DNS over https is one element, with DNSSEC being another. Using DoH means you use an https request to some external server to make your DNS requests.

An https request looks much like any other, and could as easily be your accessing facebook as accessing a DoH server. It is not something that can be snooped on, or selectively blocked.

If you do not trust your ISP to provide "clean" DNS without filtering or snooping, DoH allows you to choose someone else to trust. This is the problem, you have to trust someone, but you have a choice of who you trust.

In addition to DoH, you can also use DNSSEC to validate the accuracy of the responses. Using DoH means someone in the middle cannot snoop, or easily do any selective blocking. But whoever offers the DoH service could.


A VPN provider works in much the same way - you effectively choose a different "ISP" to provide your Internet access via the ISP you use. Again, choosing who to trust.

I was surprised how popular our own (unencrypted) L2TP service has been at A&A. In time we'll be offering IPsec based virtual ISP services too, I am sure.

Browsers doing DoH

Mozilla are working on using DoH in browsers, which means someone (like an ISP) cannot snoop, or selectively block, DNS requests. It is sad that this is even necessary. Note that AAISP do not filter or block any DNS, and have no plans to.

Oddly this upset ISPA, who has considered making Mozilla their "Internet villain" this year for DoH work.

This seems odd. If an ISP has an order to block some DNS, then they cannot block DoH, but so what? they are complying still!

I was surprised ISPA took that stance, even as a joke award for Internet villain. I can only hope they do not select them as the villain.

So A&A have donated the same amount as an ISPA membership, £2,940, to Mozilla. We have not been ISPA members for some time, but this is the first time I felt ISPA were perhaps taking views I did not really agree with.

We all benefit from the work of Mozilla so much every day, this seemed well worthwhile.


  1. As I see it, ISPA's trying to claim that as long as DNS blocking can be said to work against most customers most of the time they won't be forced to use a form of blocking that would actually work against smart people. This kind of compromise never ends well.

    If Mozilla sets a default DoH provider, said provider instantly becomes a target to be compromised…

  2. Re: A&A's L2TP sorta-"VPN":

    I've wanted to use that before on previous smartphones, but for some reason only the latest version of Android (9, I think) appears to support L2TP *without* encryption (i.e. IPsec), and of course now that I have the technical means to use it, I have no need for it any more!

    (I don't exactly recall what I was wanting to use it for back then, but I think it was due to mobile networks - probably then-T-Mobile - blocking certain things, either websites or stuff like VoIP, but *not* blocking L2TP as far as I could tell... But my latest phone - Huawei's Mate 20 Pro - has Android's native SIP client disabled, it seems ��)

    I'm still planning to set up some kind of VPN server on my MikroTik router at home, for various privacy reasons when I'm not on a trusted network. Now that we have two 80/20 lines here (well, 65/20 + 70/20...), relaying traffic via home isn't such a big deal :)

    And if I ever implement my idea of having a backup home Internet connection wherein my MikroTik router is connected to my "server closet" Raspberry Pi via Ethernet, which then connects to my phone's WiFi hotspot, thus allowing everything on the home network to access the Vodafone-filtered-Internet via several extra layers of NAT, I may consider using your L2TP service over that so that we can get our IPv4+v6 addresses over that NAT chain and skip the blocking... �� (The Raspberry Pi hop is because I don't think the MikroTik would act as a WiFi client to my phone, though I could be wrong!)


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.