Indeed, that and SNI[1] make this whole DoH thing pretty pointless for privacy IMHO --- if you are seriously concerned about your ISP monitoring your traffic, tunnel everything through a VPN that exits into the Internet somewhere else. It seems more like an effort to frustrate host-based adblocking more than anything.
[1] Looking at SNI is even more accurate, since DNS lookups don't necessarily (but often) mean a connection to that host will be made; a TLS handshake, on the other hand, means a connection is being made.
I doubt DoH is a ploy to break adblocking; if you don’t control the device making the requests they could already do plenty of things to break crude adblocking techniques like that. (Nevermind the fact that one of its biggest supporters is Mozilla.)
Stating that this is pointless for privacy seems like an exaggeration. Sure its not a panacea, but for probably 80% of sites, the destination IP tells you you are headed to Amazon or Cloudflare. Besides that, why reveal more information than less, and why not remove unencrypted, easily manipulated network traffic? Personally, I aim to eliminate unencrypted traffic on my networks.
Yep. Encrypted SNI is still a work-in-progress in terms of browser support – like DoH itself – but they’re both being pushed by Cloudflare, and intended to complement each other. No conspiracy theory needed to explain the motivation.
Edit: And Cloudflare‘s own service mitigates the use of IP addresses to identify sites, since (AFAIK) all Cloudflare-wrapped sites are accessed via the same IP. Of course, this is only an improvement if you trust Cloudflare.
Exactly; this isn't suitable for people evading nation-states but I use it for my home network as another layer in privacy where total traffic proxying or all-over-Tor isn't realistic.
[1] Looking at SNI is even more accurate, since DNS lookups don't necessarily (but often) mean a connection to that host will be made; a TLS handshake, on the other hand, means a connection is being made.