DoH: (Anti-)Competitive and Network Neutrality aspects

Much has already been written on how moving to centralised DNS is bad for our privacy in 2019, and on that basis alone centralizing our DNS on a few large cloud providers seems like a bad idea.

In this post, I want to look at the business and commercial consequences of moving DNS from the Internet Service Provider to a centralised place in the cloud, paying special attention to network neutrality, (anti-)competitive & regulatory aspects.

I hope that afterwards, it will be clear that when service providers argue against DoH, this does not have to mean they were spying on their users and hope to continue doing so – there are other major problems as well.

The lay of the land

As of 2019, the internet roughly looks like this:

This is sampling of the big guns of content distribution. Most of these are reached directly from the ISP, with some content providers hosting their servers within the network service providers. The biggest Content Distribution Networks (CDNs) shift so much data it even makes sense to have regional caches spread out throughout an ISPs service area. 

In this layout, the ISP is completely in charge of distributing traffic. If it does a bad job, it will make its customers unhappy. If an ISP decides to prioritize one content provider over another, this is called a network neutrality violation, and various countries and regions (including the EU) have regulated the networking industry to outlaw this practice. Despite this fact, ISPs can sometimes wield significant power and for this reason they are under constant regulatory scrutiny. 

Note that some countries have an underdeveloped ISP market, with large fractions of the population having no choice of broadband service provider. Regulation is then of the utmost importance to keep everyone honest, but in some of these countries the regulator has been captured by industry and is no longer very effective. This mostly goes for the US. 

Technical details

Gaining access to content is a two-step process. Users, Apps and browsers almost exclusively connect to domain names (like ‘’) to retrieve content or perform actions. Such domain names can not be accessed directly on the internet because devices and servers talk to each other using IP addresses. DNS is used to find an IP address associated with a domain name, and then a connection can be made. Currently this mostly looks like this:

First (1) a device (computer, phone, tablet, tv, set-top box, streaming device) requests the IP address for ‘’ from the ISP DNS server. This server either has the answer already (likely), or (2) it will talk to the CDN DNS server, which then (3) responds with the best IP address for the request, which is then (4) relayed to the original client. In the final step (5), the client device sets up a connection to that IP address. 

Of note is that steps 1 through 4 are essentially spent “waiting”. If this process is slow, ISP subscribers experience bad performance and the internet feels sluggish. 

Also noteworthy is that in step ‘2’, the customer’s network number (AS) is shared with the CDN. This can allow the CDN to pick the “best IP address” based on where the user is connected to the network, so content can be served to them from a well-placed cache. 

In this (the existing) configuration, ISPs and CDNs have very well aligned incentives – providing end-users with rapid and snappy access to content.

The brave new world of centralised DNS over HTTPS (DoH)

Centralised DoH is where browsers, operating systems, phones, tables or computers no longer send their DNS lookups to the network-provided (ISP) DNS server, but transmit the query to a server hosted by a third party (in this case, the first party is the customer, the second party is the ISP). 

The narrative behind centralised DoH is that regular DNS is unencrypted. In addition, Internet service providers are presumed to be profiling their customers and selling their browsing behaviour, and DoH is claimed to stop this (although it doesn’t).  DoH operators vow (with differing specificity) not to sell customer data. They will however keep 24 hour logs of all queries for analysis, for some reason.

So far three companies have been entertaining the idea of centralised DoH, Google, Mozilla (Firefox) and Cloudflare. Google has recently decided their browsers and phones will not use centralised DoH for now, but they are however doing it for their Google Home Wifi products.

Cloudflare is pushing heavily for the world to centralise DNS on Cloudflare. While their CEO tweets from time to time that he’d be happiest if other people also offered DoH, they are expending significant lobbying efforts in convincing (some) browser vendors, governments and regulators that it is a good idea to move DNS from regulated network providers to Cloudflare.

Specifically, in the US, these efforts have been successful, with Mozilla deciding all Firefox DNS traffic should be sent to Cloudflare by default. Firefox users there receive a notification about the move, but do not have to opt-in. If they want to go back to their network provided DNS, they have to click a scary button called “Disable Protection”:

Flow of control with Centralised DoH

Let’s say a Firefox user in the US wants to visit some Akamai hosted content. With centralised DoH, the DNS lookup bypasses the local ISP DNS and instead goes to a Cloudflare server. This server may have to in turn ask the Akamai nameserver for the IP address, and once this is returned to the user, the actual connection to Akamai can be established, providing access to the content.

We have to keep in mind that if a DNS lookup is slow, the entire internet feels sluggish. Slow DNS = Slow internet. In this new scenario, Cloudflare, an Akamai competitor, is responsible for making Akamai service snappy. In addition, for this to work, connectivity from the ISP to Cloudflare needs to be perfect, and the same goes for the connection between Akamai and Cloudflare – companies who previously did not exchange a lot of data, nor had much of an interest in doing so. 

In addition, where previously CDN operators could provide optimized DNS answers, because they could see where the query was coming from, Cloudflare has vowed not to provide such details to CDNs, ostensibly for privacy reasons. A CDN nameserver will henceforth only see that a query came from “Cloudflare”, and no longer from which ISP. This leads to sub-optimal routing, which I have personally experienced as “dog slow internet” when trying to access Akamai-hosted content through Cloudflare DNS.

Cloudflare, and connectivity to Cloudflare, now determine how quickly sites load to such an extent that we can well change our initial ‘Internet lay of the land’ diagram to this:


Every website visit, every lookup of every domain name now passes through Cloudflare. If Cloudflare has a bad day, the internet has a bad day. If Cloudflare and the ISP have a mutual network issue, instead of this only impacting Cloudflare, it now impacts all sites a subscriber would like to visit. 

In addition, because of the flow of packets, not only does the ISP need to have top-notch perfect connectivity to Cloudflare, from now on, so must EVERY content provider in the world – the moment there is any congestion on the link, lookups slow down, and with that access to all content from that CDN.

Of special note is that regular ISPs are highly regulated precisely because they are in such a crucial position. Meanwhile, in its new position, Cloudflare has become critical internet infrastructure, but has somehow completely evaded regulation.

Why this is problematic

Within Cloudflare, there is no department called “Keeping Competitors’ Services Snappy”. In fact, Cloudflare lists many of the content providers above (and their suppliers) as outright competitors in their S-1 filing with the SEC:

Whenever ISPs have complained about Cloudflare inserting itself in the lookup chain, this has been framed as providers whining about no longer being able to violate their customers’ privacy. But for example in Europe where ISPs are not in the business of selling their user data, this rings hollow.

The real problem is that an unregulated entity is attempting to take over highly regulated services while gaining significant market power over both ISPs and content providers. 

The nature of ISPs is comparable to that of utilities and it is therefore proper to regulate them as such. It is hugely problematic if some of their indeed considerable market power is then usurped by a new third party that has managed to completely escape regulation.

Why are Cloudflare and others pushing for centralised DoH?

This is indeed somewhat of a mystery. Like many websites that claim to care about our privacy before stuffing our browsers with cookies and trackers, Cloudflare (and Google and Mozilla) tell us they are in it to improve our privacy. Only one of these three is actually a non-profit though. It is pretty hard to see Google or Cloudflare as publicly traded charities heavily invested in improving our privacy. Mozilla is a very credible privacy advocate (even if I disagree with how they want to improve my privacy).

When questioned, Cloudflare states they are doing it because 1) it does not cost them real money and 2) users of the Cloudflare DoH service get slightly faster access to Cloudflare-hosted content

The first bit could technically be true, although providing high speed encrypted DNS service does cost tons of CPU cycles. It appears however that Cloudflare is spending serious time lobbying governments in Europe and the US to get them behind centralised DoH – and unless there is a new pro-bono trend in lobbying I am not aware of, such efforts cost real money.

The second part is also interesting and somewhat revealing. If the impetus to centralise DoH on Cloudflare is indeed to speed up Cloudflare services relative to competitors, that is a clear network neutrality violation. It has also been claimed that this effect is in fact tiny, but if so, there is no good faith explanation left anymore why the company is attempting to centralise the internet on itself.

A now deleted Twitter conversation outlining how centralised DoH by Cloudflare specifically benefits Cloudflare customers

In the absence of good explanations the mind wanders to bad explanations. A crucial fact is that some CDNs that compete with Cloudflare face immediate challenges if DNS moves away from the ISP – CDNs will lose sight of where DNS queries are actually coming from, leading streaming video to (initially) be served from potentially sub-optimal locations. 

What could be done

From a European perspective, it is quite clear that any centralised DoH provider that manages to become the new default for lookups is, in fact, also a telecommunications service provider. With this comes all the fun of the NIS directive and the full force of the EU telecommunications framework directives. Governments here would do well to recognize this fact and regulate accordingly.

Meanwhile, Mozilla has negotiated a privacy contract with Cloudflare for the DoH services, and we can find the promises in that contract here. There is no trace of network neutrality in there, nor is there a commitment from Cloudflare to actively work on establishing top-notch service to relevant content delivery networks. Life would be a lot better if Mozilla required such commitments from Cloudflare. 

If regulated as such, centralised DNS over HTTPS could be made more palatable – but it might also make running a DoH service for free unattractive enough that operators will no longer bother. 


Centralised DNS over HTTPS is pushed to keep ISP’s presumed prying eyes away from our DNS traffic, and grant such access to other parties like Cloudflare that then promise not do anything bad with our data. There are good reasons to assume centralised DoH is bad for privacy

In addition, by moving crucial telecommunication network functionality from the regulated ISP to unregulated cloud providers, there is significant risk of network neutrality violations. This is because the centralised DNS over HTTPs provider is now in charge of providing snappy service, including to its documented competitors. All this without regulation.

Governments should recognize centralised DoH operators that take over DNS lookups by default for what they are: providers that need to be regulated because of their systemic position. And finally, it would behoove Mozilla (who are strident fighters for a free and open internet) to make sure their contract with Cloudflare includes provisions that make sure all CDNs are equally well served by their chosen DoH providers.


  1. Sander Steffann

    Excellently written and explained, as always. I vote that we consider Bert as Critical Infrastructure 😉

  2. James

    One item you leave out with respect to ISPs DNS (at least in the US) is that it’s not uncommon for some ISPs to rewrite DNS responses so they can inject their own advertising. This corruption of the DNS data is far more insidious than merely tracking in my opinion and justifies using DOH to any provider than the ISP.

    Unless an encrypted DNS path is provided, it doesn’t matter if you do your own full tree caching or rely on the ISP’s caching server. If they see a DNS entry they wish to overwrite in your network stream, they can do it.

  3. Vicky Risk

    Excellent, as always Bert. The other thing that I think people forget is, users have an actual contract, a business agreement, with their ISP, under which they have some rights, and some standing to enforce them. With a free hosted service on the web, the end user is effectively nobody. There may be an agreement – entirely one-sided, and posted somewhere on the web site that the end user may or may not ever see it.

    • skillscat

      This is a well thought out and well written article. The problem, as I see it, is that people generally speaking hate their ISPs but love their browsers. Not sure why that is. So when people are given a choice between trusting their browsers who recommended doh, and the ISP’s cry foul. People are hesitant to listen to the reasons why DOH may not be the best answer if those explanations come from their ISP.

  4. josvazg

    I am sorry, but this does not make sense to me. You are talking about DoH as if it were some magic proprietary sauce only Cloudflare or Google can posses. Come on! Those are open standards, basically running a DNS resolver on top of HTTPS (DoH) or a DNS server on top of TLS (DoT).

    You don’t want centralized DNS? Easy, just stop complaining about DoH and implement it! (or just deploy it)
    GIve users the choice, implement both DoT and DoH as an ISP or even as a CDN. Unless of course, your problem really is encrypted DNS, is it?

    Once DoH and/or DoT is obiquitous then Google or Cloudflare excuse to hold your DNS queries captive is completelly destroyed. They wll need to go back to let the user chose their preferred DNS provider, maybe with a protocol prefernce on DoH or maybe not. No regulator required, easy peasy.

    • vcunat

      The main DNS privacy “war” is about defaults, because almost all internet users will stick to defaults and I don’t think that can or should be changed – forcing users to decide for themselves for each such thing probably won’t work well. For example, even if/when ISPs do deploy encrypted DNS at large, it seems unlikely to matter much unless defaults get switched to that somehow (instead of Cloudflare). (And there remains the issue that apparently Mozilla thinks that (US) ISPs shouldn’t be trusted with privacy by default.)

      There are open-source implementations, and there are various smaller public resolver services providing DoH (and other protocols). For concrete examples, (dnsdist) and “my” Knot Resolver do have DoH implementations for quite some time, and my cz.nic also offers a public service. Third-party DNS will still go outside your ISP network and thus keep some of the disadvantages. Even some large ISPs are now publicly testing their own DoH services.

      Around third-party DNS I agree with the article that there are problems in incentives. *If* it’s a free service that can’t be monetized (with ads or selling data), why even run it with high quality? (Unless you’re a non-profit interested in this stuff.)

  5. software developer

    Hi Bert.

    I think you’re missing another important issue at play here. I first read about it in the Internet Protocol Journal article sometime this year by Geoff Huston. So what I’m saying is not new and you are probably aware.

    DoH is good because you can get privacy for last mile of DNS. This maybe good or bad for the reasons you outline in this article. I state that it is a good thing because it gives end users a choice.

    But specifically with DoH the DNS traffic is not discernible to other traffic on an end users system. This means an application can bundle its choice of DoH resolver bypassing the user choice.

    And to compound that some browser vendors are allowing bypass mechanisms by checking a special designated well known name that is provided by the user resolver DNS operator to force DNS traffic back to the system (users’) resolver. Again this is dubious because a browser might be protecting you from the last mile but the last mile want to disrespect and violate your privacy.

    So to summarise: user choice of DNS resolver is good, especially if it ostensibly means more privacy. Ceding user choice by allowing application to choose is bad. Ceding user choice by allowing the system resolver (as opposed to the user themselves) to force applications to fall back on system resolver is bad. The user should ultimately control the resolver choice and what they deem as a private resolver. Today the ecosystem of DoH is Cloudflare, Google, Mozilla, and another handful. But the future might be different.

    Also consider that some DNS providers still spoof NXDOMAIN for $$$$. DNS did this. does this today. Some US ISPs force 53/UDP to go through their DNS server only despite user configuring otherwise. All of these shenanigans need to stop and DoH gets us one step closer.

    Btw – great article.

  6. Pingback: [Axis of Easy] #SaveDotOrg: Why ISOC Sold The .ORG TLD To A Private Equity Firm
  7. josvazg

    The thing is the technology to have encrypted DNS has been around for quite a while, yet nothing has happened till now.

    Google & others are pushing for a more secure Internet. That is out of self-interest, the more reliable and secure the Internet is, the bigger their potential future incomes. Today not everybody is using the Internet, or not everybody is using it as much as they could or Google and others would hope for. So there is a lot of potential income there, and that can only happen if the Internet is deemed secure and trustworthy by more people.

    Google and others have already almost achieved the goal to spread “HTTPS everywhere”, so the next logical step is DNS, to properly close the air-gap.

    This DoH push feels to me like a slam on the table to force the DNS encryption to happen once and for all. It is like a chess game, “if you don’t want users to use our DoH servers, then deploy DoH (and/or DoT) yourself, and stop complaining”.

    You might like the play more or less, but I think it is effective to achieve the goal of ubiquitous encrypted DNS. There is NO excuse for ISPs and others NOT to implement one or both flavors of encrypted DNS, be it DoH or DoT. It is not for free, of course, but I think that not doing it is more costly in the long run. In fact, the ISPs complains to the authorities feel to me more like a cheap way to try to avoid having to expend on rolling out DoT & DoH. Quit the whining and just do it!

    DoH and/or DoT MUST happen sooner or later. The sooner it happens, the better, so the centralization problems this article describes are more short lived.

    Once DoT/DoH are everywhere, then Google and friends have NO EXCUSE to hold on to making the browser DNS default to whatever they like. If they refuse to go back to use the OS defaults, as it was before, then it will be clear they are not for the encryption, but for something else. I don’t think they can risk going there, the same way ISPs can’t risk NOT implementing encrypted DNS soon.

    So the chess game would probably end with things more or less returning to the previous state:
    – The OS defaults to use the DHCP given DNS settings. Maybe each OS or Linux distro will set a preference order to DoT, or DoH or plain or maybe it will be DoH/DoT/plain.
    – The browser just uses the OS resolver by default.
    – ISPs will probably regain control of most their users DNS traffic. And even if they don’t, they will still see what IPs their users are accessing anyway… except if they use a VPN, same as today.
    What will change is that other 3rd parties, that are not ISPs nor actual content providers or browser vendors, will have a harder time guessing where people is connecting to. Governments would continue to leverage ISPs, just as they do today.

    As per companies, they will probably have to start considering moving to a zero trust model and VPN less ways to access their networks and services, regardless of the DNS changes. And they can always force employees to use DoT only to reach company services, lock down company-issued devices and reduce trust levels on other devices accessing company resources.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s