US-based Firefox users get encrypted DNS lookups today or within a few weeks. //

I am of two minds on the privacy benefits of DoH/DoT, but my current feeling is that it's not worth bothering with because the benefits don't fit the common use cases.

On one hand, the idea of concealing your DNS lookups from your ISP feels like a positive one. Your ISP can still sniff your SNI requests and see where you're browsing, so it doesn't necessarily gain you any privacy, but it does at least make it more difficult for them to casually spy on you and aggregate your DNS lookups into a salable package.

On the other hand, giving all of your DNS lookups to Cloudflare or NextDNS potentially allows Cloudflare or NextDNS to....casually spy on you and aggregate your DNS lookups into a salable package. And your ISP can still see your SNI requests. So in a way, you're potentially inviting more people to watch you, not fewer.

I used DoH for most of last year, but there's a pretty strong argument to be made that you're better off running your own local recursive resolver with qname minimization enabled. This means your DNS requests are not encrypted, but it also means that you're directly doing the entire lookup yourself, which greatly reduces your vulnerability to dns poisoning.

More to the point, I'm no longer certain there's much benefit at all of obscuring your DNS lookups if the purpose of that obfuscation is to hide activity from your ISP. A bit more than 95% of sites have a unique page-load fingerprint and that makes figuring out what site you're visiting solely by IP address a trivial task regardless of DNS obfuscation.

With all of that in mind, I've ditched DoH/DoT and just set up unbound in full recursion mode. It's fast and it works great.