| It's worth considering that spying on DNS is a tremendous privacy leak, much more than "the most they can do" implies. An aware user might configure their system with DoH and use a privacy respecting DNS provider but for many users on a default home connection the ISP is pretty much able to build up a traffic profile of everything you visit and when you visit it. A VPN provider can close this hole too quite easily. Just from DNS, your ISP can: 1. Infer shopping habbits. 2. Infer which communication services you use (flag users hitting signal.org) 3. Infer when you install, update, or open programs based on telemetry DNS, potentially the versions being run, and how long they run for. 4. Infer when you're most active, infer sleeping habits. 5. Infer probability of health problems if you're hitting more medical sites. 6. Infer political alliance from news sites you visit. And much more. Since US congress dropped the rules preventing ISPs selling this data this might be the most insidious thing your ISP can do today. If you believe that a VPN provider is less likely to spy due to it being the incentive for a paying customer, then a VPN with a no-log DNS option is a huge privacy win. I would argue DoH with NextDNS by itself does more for your privacy than any VPN does with IP masking. |
I do not believe that Google/Cloudflare are not doing something with the DNS data.
Data is a commodity after-all.