They don’t hijack https they hijack DoH. The point behind this is to protect the average user but they’re just going to get the recursive resolver from dhcp. People who bother to use something are the same ones who will tunnel traffic or run their own resolver.
> You cannot hijack DoH without hijacking an HTTPS connection.
Not true. An ISP can always reroute packets where ever they want. Want to reroute from a trusted resolver to your own, which is bootstrapped over regular DNS? No problem. Client checks it? No problem, it will fallback to regular DNS.
> Client checks it? No problem, it will fallback to regular DNS.
That's a good point, I'd missed that. I'd hope the browser would show a warning in this case though.
I don't imagine there'd be any point redirecting a DoH request rather than just blocking it outright though. No serious DoH implementation is going to fail to check the cert.
Unless you have trusted a CA from your ISP, they won't have a valid cert. They can divert the packETS, but their response will be invalid (fail when the client checks the cert).
I addressed this in my response. You're right that redirection does little more than just blocking the traffic, on account of the certificate check, but if the attacker can force a fallback to regular DNS, that's a problem.
