Serious question: how is DoH supposed to help when the resolver itself is being asked to return bad results? DoH makes sense if something is MITM-ing your DNS requests, but it sounds in this case that Google is being asked to just straight-up return bad results?
You'd need a resolver that was provided by a foreign organization, preferably a non-profit, with no business interests in your country whatsoever, so that your government had nothing to threaten them with if they didn't comply with the order.
Such a resolver would also need to be the default shipped with at least one major browser, such that blocking it would essentially mean "turning off the internet" for some users.
Then the pressure would move to forcing browsers to use a different DNS resolver, and the game would continue.
DNSSEC is the actual solution, providing authenticity and integrity for DNS records. The DNS client can verify that the received DNS response is what the zone admin intended. Additional records (NSEC / NSEC3) are used to provide a proof of non-existence, preventing suppression from a mitm attacker. But if your government is mitming you, you don't want them to see you use DNSSEC. DoH is useful in that case, because a mitm sees only https traffic, which is less suspicious than DoT.
DNSSEC isn't going to prevent suppression, it just makes it detectable. Cloudflare is still going to send you a doctored record - which will fail verification. But that doesn't magically give you an undoctored record, unfortunately.
I think the actual reason this works is because if you use DoH, you are probably also setting your resolver to something other than the default, which might not be poising the records.
So the real answer to governments requiring dns resolvers to censor results is to ... not use those resolvers. which is actually relatively easy to do. But most internet users don't even know what a dns resolver is, much less how to configure their browser to use a public resolver that isn't big enough to attract the attention of your government.
Exactly. In a world of many resolvers, poisoning a few doesn’t matter. In all likelihood the folks consuming these streams aren’t using mainstream DNS anyway.
DNS is usually poisoned at the ISP level. ISPs provide DNS for the customers. DoH helps in two ways: You choose a different DNS resolver and it's over HTTPS so you don't have any goons meddling with it.
