[autoexec]

Which (for people not handing all of their DNS traffic over to google anyway) usually just means that their ISP can see their DNS traffic which is kind of a moot point because your ISP can see the domains you go to even with DoH.

If somebody is on your local network capturing packets or they've cracked your wifi you've got bigger problems than your DNS leaking a list of domains. They'll also see the IP of every server you visit online anyway

The way DoH is implemented usually means that all of your DNS traffic is collected by some third party for-profit corporation like cloudflare anyway (who admittedly will already know most of the domains you visit anyway because of how often cloudflare's IP space is where DNS will point you).

There really aren't any good options for DNS and privacy, just a lot of compromises. Host your own. Or, if your ISP is trustworthy, you might be better off using what they provide. The DNS traffic between you and your ISP's servers should never leave their network.

[unethical_ban]

ISPs seeing the domains of user traffic is not a given. And DoH is a step toward mitigating that.

People were setting their DNS resolver to custom values before DoH.

I agree that DoH would ideally be enabled at the OS level, or that the browser flow would default to still checking host file before sending out the query.

[Sylamore]

Unless you are using an VPN, your ISP can see the IPs you are communicating with regardless of the hostnames associated with them and in turn resolve those back to hostnames or at least netblock owners.

[unethical_ban]

True, but n the cloud era, destination IPs don't mean what they used to. If peopel wash their blog with AWS or Cloudflare or Netlify, etc., dest. IP means little.

[tremon]

They're not talking about IP's. They're talking about SNI, which communicates the target hostname in the clear before the https session is established. ECH addresses that problem, but that is only recently starting to see wider use.