>Because "more security" is hard to argue against. The huge corporations who ultimately want to take control of the population have realised that, and are using that excuse to get in bit by bit.

But in reality, DoH doesn't really provide "more security."

All it does is obfuscate DNS queries. If you're concerned about ISP tracking, DoH doesn't really help with that at all since the ISP can see where you're going just by looking at packet headers anyway.

And the Googles and Facebooks of the world love DoH because it bypasses PiHole style ad/tracking blockers.

The appropriate solution is to use PiHole (or PiHole style blocklists) in concert with a local recursive resolver (or an external resolver that supports DNS-Crypt), not to obfuscate your DNS requests, allowing all the ads/tracking/spying connections to proliferate.

It's not a perfect solution, but it's a much better solution than needing to implement one or more ad/tracker blocking solutions on every single device on your network.

How will DoH help "huge corporations... take control of the population"?

First they take the DNS queries. Then they start routing the rest of the traffic through their servers, while advertising how it's all "for your privacy and security", of course.

There's another article on the front page about how these companies already wield immense power: https://news.ycombinator.com/item?id=25802366

To be clear, I'm not against the principles behind DoH, and think traffic going from the local network into the Internet benefits from encryption; I'm against how it's being implemented at the application-level and its subversive nature.

That's fair enough, but in the short term, Cloudflare is more trustworthy (and tolerant of free speech!) than my ISP and government. Is there an initiative in which I have to trust none of these parties?

DNS-based ad blocking worked pretty well, and DoH breaks that.

You can reroute DoH to your own resolver. If you have a trusted wildcard certificate on the device you want to reroute DoH for this will work 100% of the time. If you don't have a trusted wildcard cert on the device in question it usually will either not care or will fall back to unencrypted DNS.