[fragmede]

The "attack" is bad implementations revealing the whole IP, leaking that PII, to anybody watching DNS, instead of the query being masked to a /20, or some other subnet.

Not all VPNs route DNS queries over the VPN for performance reasons. Thus, knowing that a specific IP is visiting dissident net when that cannot be directly observed is very useful.

[saurik]

Your "VPN fails to prevent my ISP from seeing the DNS request" attack is already prevented by using 1.1.1.1 with DNS-over-HTTPS even if Cloudflare gives your IP address, unencrypted, to the upstream DNS server, as the only party in question there is your local ISP. I am asking after some detail on the specific attack that Cloudflare is claiming they caught nationstate actors doing wherein it matters that Cloudflare's DNS requests leak my IP address, as the only scenario I can come up with where that matters is a hypothetical attacker that specifically is monitoring Cloudflare's egress (which frankly sounds relatively difficult due to scale) but not the website's ingress (which for a website of interest seems absolutely trivial) nor the user's egress (such as many countries now seem to do routinely), either of which trivially out the user's address and intent due to the browser making a direct socket connection to the result of the DNS query.