К тому что отточенная безопасная реализация https в браузерах. С качеством tls вне браузеров есть проблемы. Поэтому логично в браузере сделать DoH. А не делать лишнюю работу по имплементированию DoT, которая не приносит пользы и не имеет смысла.
Да и вне браузеров DoT может выглядеть хуже чем DoH.
https://dnscrypt.info/faq/
Специфичные минусы DoT:
> Uses a dedicated port (853) likely to be blocked or monitored in situations where DNS encryption is useful
> Initial connection is slow due to the long handshake (until TLS 1.3 is deployed, which can take time due to middleboxes)
> Not well understood even by its proponents. It is a truck, as it is heavy and slow to load, but most if not all implementations perform a full round trip for every packet (even the excellent miekg/dns library as used by Tenta).
> Padding rules haven’t been specified besides a draft that doesn’t have any implementations, and a last-minute hack that requires altering DNS record sets before wrapping them
> Difficult to implement securely. Validating TLS certificates in non-browser software is the most dangerous code in the world
> TLS is a generic transport mechanism. It doesn’t support reordering and parallelism and doesn’t include any ways to manage priorities. New mechanisms need to be invented and implemented to do so.
> Will be difficult to improve without introducing more hacks. Unlikely to benefit from any improvements besides new TLS versions or homegrown reinventions.Специфичные плюсы DoH:
> Will automatically benefit from improvements made to HTTP/2 and, eventually, QUIC
> Less likely to be blocked than other options
> Can be trivially deployed on any web server, and run along existing websites; DNS response are served like simple web pages
> Can share the same infrastructure as existing websites, and share the same certificates
> Simple to implement over any existing web stack
> Immediately compatible with caching proxies and CDNs
> Supports reordering, parallelism and priorities, thanks to HTTP/2
> Can leverage existing padding mechanisms (HTTP/2 frames padding)
> Supported by CuRL: will soon be available in all programming languages with bindings for libcurl
> Work is being made to leverage DoH and CDNs to improve performance of web applications DoH digests
Еще скажи к чему этот оверхед с TCP. Давайте лучше сделаем новый протокол на базе UDP, не QUIC, а специально для DNS, прикрутим к нему сверху TLS, а над ним еще один специальный протокол: для передачи текста, паддинга, параллелизма, реордеринга, приоритетов. Оно же будет легче и не менее безопасно, чем тяжелый TCP+TLS+HTTP/2 с лишними для DNS вещами? И написать этот стек безопасно не трудно, да? Не будет потом уязвимостей из-за кривостей реализации параллелизма, реордеринга и т.д. в специальном новом протоколе?
