A quick primer prior to hitting the substance of this post. 

With respect to the Internet, people like names and machines like numbers.  When we enter:  www.google.com into our web browsers, domain name service (DNS), is what takes the name:  www.google.com and converts it to the IP address:  172.217.5.196

DNS encompasses more than that but the basic point is that this type of resolution exists in the background and it's all happening unencrypted.  So why do we care?  We could talk about Man in the Middle attacks and how this traffic can be intercepted, poisoned, and how you could be sent somewhere else.  But odds are pretty good that's not happening to you.  Let me paint a more realistic example that is happening to you.  

We frequently see these signs around:  Free WiFi

Nothing in life is free and if you're not paying for it, you are the product.  When you're in Home Depot and you hop on their Free Wifi, I would bet they are capturing DNS traffic.  I don't know this for a fact but they would be stupid to NOT capture DNS traffic and anything else for that matter.  I could easily digress into an Orwellian nightmare but I'll just recommend you Google:  "department stores facial recognition" and speculate that they will tie your phone, your captured browsing requests, and your face into one big bucket and use that to their advantage.  

Personally I don't hop on Free Wifi all that much.  When I do, I use a VPN which hides my traffic from prying eyes.  Not everyone has that luxury but by encapsulating DNS over HTTPS (DoH), we can take back a little bit of our privacy.  Firefox makes this fairly simple. 

I'm getting ahead of myself though -- let's start at the beginning.  

We open a web browser and we point to Google:





The little green lock says the browsing is encrypted but if we sniff the DNS traffic, we don't need to see the actual browser to know we're on Google:






Perhaps while I'm at Home Depot, I can't live without my Cat Memes:






Again, the search is encrypted but I still see something going on with Google (gstatic).






I decided to check out some Cat Memes on Best Life:






Our traffic shows exactly where we're browsing:






Using Firefox, we can enable DNS over HTTPS.  In the URL, if we enter about:config --






Upon accepting the risk, we search for:  network.trr.mode

trr = Trusted Recursive Resolver






From Mozilla's Wiki:

0 -- is "off by default"
1 -- lets Firefox pick whichever is faster
2 -- to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback
3 -- for TRR only mode
5 -- to explicitly turn it off





We choose Mode 2.  

One more change -- we want to choose our source for DNS over HTTPS resolution:






I personally don't have any issue with Cloudflare but as far as reliability, Google is probably a notch above which is why I'm using their server:






Google would be the original sniffer of DNS traffic by providing the most reliable DNS servers.  Rarely do I use what is given to me by Internet Service Providers.  In other words, Google already knows what I'm browsing so let's just keep it in the family.

Now that we're all setup, we browse to Amazon:






When we sniff the traffic:






Crickets.  

We decide the price is too much at Home Depot and Amazon, maybe it's on Ebay:






Still listening:






And still nothing.

We put things back to the way they were:






We decide to look in our Etrade account to see if we have enough money to buy that new fancy BBQ at Home Depot:






As you would expect:






We are back to capturing DNS traffic.  

Admittedly, I haven't played with this a ton so I haven't come across a situation where I'd suggest against using it.  The single point of failure is Google but setting Mode 2 ensures that if DNS over HTTPS fails, regular DNS queries are the backup.  If I were privacy minded, I am, I would set Mode 3 because if it fails, I want to know it's failing rather than having a false impression.  At that point, I can make the choice as to whether or not I want to allow traditional resolution.