More of a general question: How does this affect people who choose to use DoH without using Encrypted Client Hello? I can’t quite parse the language there.
ECH is technically unrelated to DoH, ECH is a HTTP extension not a DNS extension. But it uses the DoH encryption because it can’t use the HTTP encryption because of the chicken-and-egg problem explained in that comment, so… it basically latched onto DoH as a solution and in doing that tied the two together.
And to answer your question, DoH is usable on its own without ECH because ECH is not needed for DNS. But ECH is strongly desirable for HTTP, and it also requires DoH, so that’s why Mozilla for example activated then as a package deal in Firefox (both or neither).
So DoH alone encrypts the DNS request which could reveal the intended domain, and ECH does likewise but for the initial HTTP request? Maybe I’m thick, but to me it sounds like DoH without ECH is insufficient?
In a sense yeah, you want ECH too. It’s just that ECH makes up for a HTTP-specific fault. DNS is used for more than HTTP; if you’re not using HTTP then DoH is enough.
More of a general question: How does this affect people who choose to use DoH without using Encrypted Client Hello? I can’t quite parse the language there.
This older comment explains how ECH works.
ECH is technically unrelated to DoH, ECH is a HTTP extension not a DNS extension. But it uses the DoH encryption because it can’t use the HTTP encryption because of the chicken-and-egg problem explained in that comment, so… it basically latched onto DoH as a solution and in doing that tied the two together.
And to answer your question, DoH is usable on its own without ECH because ECH is not needed for DNS. But ECH is strongly desirable for HTTP, and it also requires DoH, so that’s why Mozilla for example activated then as a package deal in Firefox (both or neither).
So DoH alone encrypts the DNS request which could reveal the intended domain, and ECH does likewise but for the initial HTTP request? Maybe I’m thick, but to me it sounds like DoH without ECH is insufficient?
In a sense yeah, you want ECH too. It’s just that ECH makes up for a HTTP-specific fault. DNS is used for more than HTTP; if you’re not using HTTP then DoH is enough.
HTTP and HTTPS-specific?
It’s HTTPS-specific, since HTTP is not encrypted.