Cool but ISP and others can still spy on IPs you make requests to and simply ask for reverse DNS of that IP to still get a good idea of what you are doing? Not sure how we could really achieve 100% privacy from the ISPs.
Isn't this more to prevent ISPs from modifying the results of your DNS queries? Also, in the future when we get encrypted SNI, users of websites behind CDNs like CloudFlare or similar (where the website you are visiting will not be discernible from the IP you're connecting to) will benefit from DoH + eSNI.
Another goal is to deal with the problem of "no log" VPN providers being forced to tag all internet-bound traffic on port 53 with the customer IP it originated from.
This has evolved into the universal compromise, since the VPN provider still gets to claim that they themselves aren't doing any logging. But of course their upstream ISP is now easily able to do so.
This is why mullvad intercepts all DNS queries (even to 8.8.8.8 or 1.1.1.1). Try using OpenNIC from behind mullvad: you won't get the extra TLDs.
Logging DNS makes it easy to selectively deanonymize people. All you have to do is get them to browse to a website that resolves a weird domain name.
Then, start a VPN provider and wait for the NSL to arrive, like Mozilla did.
Not a coincidence that they suddenly started pushing DoH hard shortly after launching their own VPN. Before that it was just another protocol; after the VPN they suddenly were in a big huge hurry to put people on DoH by default whether the system resolver supported it or not.
If your ISP is running the DNS with DoH/DoT then those queries can still be modified. Encrypted DNS does not solve the problem of DNS record manipulation.
For the rest, encrypted SNI might help, but it's still a draft so not really in use. Also 95%+ of sites are identifiable by IP only.
You could be using a VPN. I always found DNS with VPN messy, how not to leak queries, how to resolve internal records, how to react to the VPN servers dhcp info.
Never send DNS queries into a VPN. They are all logged along with the originating client IP.
If your VPN provider claims they "don't log" it just means they're tagging the query with your IP as it leaves their network and letting their upstream ISP do the logging.
Indeed, however there are more use cases for VPNs.
You might run a "road warrior"-setup, connecting to the company network for services and accidentally leaking company DNS info to the airports WLAN provider.