First of all we are not talking about the trustworthiness of VPNs, that's a separate discussion entirely. And no, I don't trust my ISP more than I trust my VPN, but I understand your mistrust as VPNs are indeed not so private as they are marketed. But imo this is throwing the baby with the bathwater.
Go to Germany, download a movie either from the Pirate Bay or see one from one of the many illegal websites streaming content and prepare for a letter (delivered to your home address) with a huge fine and a legal threat within a month.
Not that I'm a huge fan of pirating content, even if some cases like Sci-Hub have the moral high grown, but this goes to show just how trustworthy an ISP is, in an EU country with some of the best privacy laws ... and in such cases a VPN is absolutely mandatory.
---
DoH hides your DNS queries — if you visit an HTTPS website, the traffic might be protected via HTTPS, but the domain name is clearly seen.
Of course, the ISP still sees the IP you're communicating with, but due to SNI and industry practices nowadays of putting websites behind CDNs, IPs don't necessarily reveal the website you're communicating with.
DoH also makes it harder for ISPs to block or redirect your access to certain websites. For instance it makes it harder to block Pirate Bay based on the whims of your local government. Now certainly Cloudflare can also be compelled to block websites like Pirate Bay, but the DoH service you're communicating with is customizable, you can pick whatever service you want and just like VPNs, I predict there will be plenty of privacy respecting services to choose from.
And DoH is not foolproof, it doesn't solve all of our privacy needs, it's just a piece of the puzzle, but a necessary one.
> I predict there will be plenty of privacy respecting services to choose from.
Why, where is the money in there ?
Sure there might be some, but many ?
Call me cynic but I don't think google(one of the biggest public DNS servers atm) or clodflare(probably second biggest) are providing this service out of goodness of their harts.
If you worry about DNS that much, running your own is not that hard (I am running one at home* , and one at the place I work).
I don't know why Google and Cloudflare provide this service and I don't really care, because it's irrelevant.
DoH is first of all a protocol. If you run your own DNS resolver at home, surely you'll be able to run your own DoH server too.
Also your requests will no longer be sent in clear text, which means that a Wifi administrator at your local coffee shop won't be able to see your queries and responses, which with the regular DNS protocol are in cleartext, in which case your home DNS server does not help — unless you're on your own network in full control of your router, or run your own VPN, communications with your home DNS resolver are just as vulnerable.
The value of something like DoH is clear, regardless of the motivation that Cloudflare and Google have for providing such a service for free.
---
Speaking of which, accessing pirated content is not the only case I worry about — another problem I have with my ISP is that they serve me a 404 Not Found page filled with ads on domains that aren't available. This is in an EU country.
Also back when HTTPS wasn't forced on Google, the searches were logged and people were automatically flagged for problematic queries and then potentially monitored for years. One of the topics that triggered automatic flagging was child sexual abuse — I know because I helped a local campaign, building an awareness website, etc, only to be informed of such practices by an acquaintance working for our internal security agency.
And while today this may happen for legitimate reasons, tomorrow it might happen for people criticizing the government. Look no further than countries like Turkey or Hungary.
Personally, coming from communism, I fear the nanny state more than I fear big companies from other countries.
> Personally, coming from communism, I fear the nanny state more than I fear big companies from other countries.
I am from Slovenia and I know exactly what you mean, and agree 100% with that.
I just think that in the end POE is worse, since I think it will result in concentration of something that was widespread (plenty of small ISP's and providers), into few
bigger and easier to backdoor providers. So it will be easier to monitor then before.
And I don't think think that western democracies and "democracies" will just throw in their towel.
I trust Cloudlfare and Google less than I trust my ISP, if nothing else their budget (and competence, and reach) is much lower(isp's).
I mean gmail and outlook are much more competently run than most ISP's and businesses ran their mail servers. I am afraid something similar can happen here.
> DoH is first of all a protocol. If you run your own DNS resolver at home, surely you'll be able to run your own DoH server too.
Packets never leave local network. The advantage of DoH is that it's over https, so if you don't control your firewall you can still use it.
But if you control your own network, DoH is not that useful, since you still have to support old DNS for all the applications and devices that don't support DOH.
If someone can listen on your LAN you have bigger problems than someone being able to intercept your DNS queries.
Not saying there are no advantages, it just isn't a priority.
And if you use VPN, they can see your traffic.
Personally I trust my ISP more than some random VPN provider on the net.