Latitude wrote:Is DOH really a solution to circumvent Internet censorship (by government)?
No. All these technologies only protect DNS. But if we're talking about web browsing, they do nothing for privacy. Http connections contain hostname (and full URL) in plaintext, so anyone on the way (e.g. ISP) can see it. Even https connections contain readable hostname because of SNI (Server Name Indication). So if someone wants to do some filtering, they can, you can't hide what you're doing. At least not so easily. DOH can help only with DNS-based filtering.
DNS-based filtering is commonly used for soft censorship because it's cost-effective. It's not all that great, the main part is that it's really cheap. In simplest form, it needs hardly any extra resources. Censoring government just forces ISPs to do filtering on their own DNS resolvers. It's no problem for ISP, because it can be easily implemented and doesn't affect any other traffic. And it's surprisingly effective. Anyone can get around it just by switching to different resolvers, but many non-technical users don't know how to do it, so it does work on them. Next level is hijacking of all DNS traffic from users and forcing it to go to ISP's resolvers. It's a dick move, but Facebook still works (I mean, if it's not target of blocking), so not too many will complain. DOH will help you here.
The trouble is, if DOH or similar technology becomes available everywhere by default, DNS-based filtering will stop working even for non-technical users. And guess what, censors won't say "oh well, we tried, there's no point to continue now, let them have uncensored internet". No, they will move to other (worse) forms of filtering. For web browsing, it's very easy to block access to selected hostnames. It's much more resource intensive than DNS-based solution, but possible. A government that really likes censorship will happily pay for ISP's costs with own money. Well, not exactly "own", they will tax you to get it.
DOH can be useful on untrusted networks, where someone serves fake DNS responses for one reason or another. DOH can help here too (if you can trust DOH server operator). In theory, it shouldn't be necessary, that's what we already have DNSSEC for, to prevent tampering with DNS records. In practice, it's far from widespread, so you can't rely on it for most domains. And worse, nothing in common system actually cares about it. Web browsers, the OS itself, they couldn't care less about fake responses. Currently it's only configured resolver that possibly cares about DNSSEC and filters fake responses. But it has to be as close to you as possible, preferably within your own network. Public resolvers such as Google's care about DNSSEC too, but it doesn't help much, because between them and you, anyone (e.g. evil ISP) can still tamper with responses and nothing in your system will notice.