You really want to do this if you use Spectrum Cable. You are locked out of configuring the DNS settings via their cable modems (even if you supply your own). These force a DNS search suffix that leaks all DNS requests to their server, even if you are using another public DNS. I noticed network manager kept forcing the DNS search suffix, even after I manually disabled it. I did the config change to disable it messing with the resolv.conf
You can easily configure Network Manager to ignore anything from the DHCP, including DNS (properties ipv4.ignore-auto-dns and ipv4.dns* on your connection).
DoH cuts both ways, so be sure you know what are wishing for.
Yes, it allows you to prevent your ISP manipulating your DNS. Your ISP has no way to know when you are resolving, because it is masked in other HTTPS traffic.
But it also allows the apps to prevent you from manipulating their DNS. You don't know when an app is ignoring the resolver you configured system-wide, because it is masked in its HTTPS traffic.
There is a worrying trend that apps (browsers especially) are ignoring whatever you configured in your system, and are becoming basically a blackbox outside your control with a wide open connectivity to the Internet. No explanation needed, what that means for any privacy left.
Use a firewall with nat to redirect all dns traffic to a DoT or DoH dns proxy in your network.
That way you dont have to tunnel all your traffic. (Though technically you could also use the tunnel for only DNS, but its not much easier than the solution above if you want this to apply to all your devices)
If they’re intercepting and changing your dns packets, what else are they doing? At the very least you can assume port 80 is unsafe, and should be tunnelled. SNI as a privacy problem too, so forward 443.
That's a little ridiculous. I've read[0] that Chromecasts, which are fairly common, won't work if Google DNS is unreachable (also by itself an issue), so I'm surprised they didn't get a lot of complaints.
