And most users don’t know what a VPN is. In both cases, they’re not gonna learn anything about it. Except you need to pay for a VPN, after figuring out which one is kinda trustworthy instead of snakeoil, while encrypted DNS is a simple setting on any OS. Nothing more. You don’t need whole articles to explain what your product does and why you respect privacy and blah, while not saying a single word that’s true. It’s a simple setting. VPNs are not only user friendly, they’re a full ripoff for most people and snakeoil. They don’t explain what they do in “laymans terms”, most of them just blatantly lie. Anything for the cash. If you want an explanation of encrypted DNS:
A DNS is kind of like your GPS. It translates an address into something more usable, e.g… like your GPS translates ‘123 Baker Street, Washington’ into coordinates, so you can use it on a map, for example. A DNS does the same, but for the internet: It translates “google.de” into a format that is actually readable and usable to the computer. However, to translate “google.de” you need to reach out to someone else, that knows the address. The thing is, if someone just pretends to give the right answer, but in fact gives you their own address, you may end up at the wrong website, or in the GPS example, at the wrong house. So instead of visiting your actual bank’s website, you’re going to visit someone else’s website, which looks basically the same, except once you log into your bank account the attacker can read that and steal all your money. In the GPS example, you would now be at the slaughterhouse instead of Disneyland. An encrypted DNS just means that you specify exactly whom you will trust, for example google, and that you want your communication with google to be encrypted, so no one can even read which website you want to visit.
If someone doesn’t understand this, they wouldn’t understand what a VPN is, even broken down to bare concepts. So for those people: It makes you safe just trust me just set this setting, no app, no account, no money required. Because that’s the level a typical VPN company argues on.
It seems like your whole threat model is avoiding DNS poisoning, which is fine, but I fail to see how you can compare using DoH/DoT to a VPN.
so no one can even read which website you want to visit.
Except for the DNS provider (in your example, Google, so… yikes), the operator of the network you’re on (since the destination IP can be rDNS’d or WHOIS’d, or simply grabbed from the Host header if your browser still tries HTTP first). Any traffic that is not encrypted will be snoopable. Traffic volume and connection times to each destination can be analyzed.
By contrast, a VPN will also use secure (if you trust the provider ofc) DNS servers for your requests, plus making all of the traffic completely opaque except for “going to this server”.
no app, no account, no money required
You can also make your own, free VPN service with a little technical knowledge.
And most users don’t know what a VPN is. In both cases, they’re not gonna learn anything about it. Except you need to pay for a VPN, after figuring out which one is kinda trustworthy instead of snakeoil, while encrypted DNS is a simple setting on any OS. Nothing more. You don’t need whole articles to explain what your product does and why you respect privacy and blah, while not saying a single word that’s true. It’s a simple setting. VPNs are not only user friendly, they’re a full ripoff for most people and snakeoil. They don’t explain what they do in “laymans terms”, most of them just blatantly lie. Anything for the cash. If you want an explanation of encrypted DNS:
A DNS is kind of like your GPS. It translates an address into something more usable, e.g… like your GPS translates ‘123 Baker Street, Washington’ into coordinates, so you can use it on a map, for example. A DNS does the same, but for the internet: It translates “google.de” into a format that is actually readable and usable to the computer. However, to translate “google.de” you need to reach out to someone else, that knows the address. The thing is, if someone just pretends to give the right answer, but in fact gives you their own address, you may end up at the wrong website, or in the GPS example, at the wrong house. So instead of visiting your actual bank’s website, you’re going to visit someone else’s website, which looks basically the same, except once you log into your bank account the attacker can read that and steal all your money. In the GPS example, you would now be at the slaughterhouse instead of Disneyland. An encrypted DNS just means that you specify exactly whom you will trust, for example google, and that you want your communication with google to be encrypted, so no one can even read which website you want to visit.
If someone doesn’t understand this, they wouldn’t understand what a VPN is, even broken down to bare concepts. So for those people: It makes you safe just trust me just set this setting, no app, no account, no money required. Because that’s the level a typical VPN company argues on.
It seems like your whole threat model is avoiding DNS poisoning, which is fine, but I fail to see how you can compare using DoH/DoT to a VPN.
Except for the DNS provider (in your example, Google, so… yikes), the operator of the network you’re on (since the destination IP can be rDNS’d or WHOIS’d, or simply grabbed from the Host header if your browser still tries HTTP first). Any traffic that is not encrypted will be snoopable. Traffic volume and connection times to each destination can be analyzed.
By contrast, a VPN will also use secure (if you trust the provider ofc) DNS servers for your requests, plus making all of the traffic completely opaque except for “going to this server”.
You can also make your own, free VPN service with a little technical knowledge.
VPNs are 95% about privacy, not security. So all encrypted DNS does is security? What I want from a VPN is fewer companies accurately spying on me.