DNS has known privacy issues, but this solution just (conviniently for them) shifts trust and data from the network operator to Google DNS or another central provider
Again, why? What bad thing could Comcast do to you? I know they're like a regional semi-monopoly, but they don't control anything else in your internet life.
Who knows if some 'suspicious' DNS queries sent to Google will accidentally set off some tripwire that causes them to lock you out of half the internet: https://news.ycombinator.com/item?id=30771057
Shudder sure. But why not run your own DNS? Pick a desktop, Pi, server or similar and run a full resolver like unbound. You'll never have issues because your ISPs DNS is slow or dead, and you'll be talking to the root servers directly.
That's the great thing about this feature, you can! Set up a DoH server, configure it on your phone, and you'll have your personal, encrypted-in-transit DNS server that you can use from anywhere!
By leveraging Oblivious DOH you can even encrypt your DNS traffic securely to your upstream DNS provider without having to set up your own recursive resolver (which would only lead to privacy issues).
Depends on your setup. You can tunnel your DNS through a Wireguard link to some cloud server if you want or you can use something like ngrok to expose the port publicly.
Every hop adds latency, though, so I'd recommend using as direct a connection as you can get. DNS latency can make your internet experience a real pain!
I've worked it out myself, there's a Rust crate called doh-proxy that contains a binary that's essentially a DoH server for a DNS server you specify and if you set it up right it'll just open a DoH server on a port you specify. Kind of a pain to debug, but once it works, it works pretty well. Can take a TLS cert or can work without TLS and a reverse proxy.
DNSSEC protects against that for well-configured domains, though you can't assume people put in the effort.
You can use ODoH (https://blog.cloudflare.com/oblivious-dns/) to double-encrypt your DNS requests and forward them through an external server, disconnecting your query from your response, and encrypting your upstream DNS requests. You can pick any relay from this list: https://download.dnscrypt.info/dnscrypt-resolvers/v3/odoh-re... (need to de-base64 them to get the actual domain) and any upstream DOH server you prefer.
> DNSSEC protects against that for well-configured domains
This isn't effective against DNS-level censorship, though. A DNSSEC validation error is just as effective as a fake NXDOMAIN or bogus IP at keeping me from visiting the correct site.
It works in the sense that at least you can know your ISP is messing with your DNS. If they mess with DNS, they might as well just block an IP (range), so a DNS alternative probably won't bypass most censorship. You're better off with a decent VPN at that point.
I'm still trying to add http3 to my DNS server and can't test DoH. But based on the other comments, it looks like a custom DNS server will use DoH if supported?