Thank you, however I still don't understand how it works from what you said. What is an "upstream DNS provider" in this context?
I'm just not seeing how Comcast can't still know where you going, since obviously you are routing your traffic through them and they see the IP address; how is the IP not giving them enough information to figure out where you are going? Is encrypted DNS only going to work for a handful of sites running in some special way, or is this supposed to work for everything?
> What is an "upstream DNS provider" in this context?
This would be your DoH provider. You can have layers of caching and DNS servers on your machine and network, but DNS queries ultimately have to go a foreign DNS provider.
> I'm just not seeing how Comcast can't still know where you going
If your connections aren't encrypted, or you only access servers with static IP addresses, then Comcast will be able to know where you're going.
Modern web applications have many layers of indirection, and you can't always correlate accessed IP addresses with the service the user is using.
As an example, consider a site that uses HTTPS and is proxied with Cloudflare. To Comcast, you're sending encrypted bytes to an IP address that doesn't identify the site, it's just Cloudflare. With unencrypted DNS, Comcast can just look at your DNS queries and determine the sites you're visiting. With encrypted DNS, Comcast sees that you connected to your DNS provider and Cloudflare, which isn't exactly valuable.
> With encrypted DNS, Comcast sees that you connected to your DNS provider and Cloudflare, which isn't exactly valuable.
Comcast also sees SNI in plain text, sees all the other connections to other IPs for 3rd party resources on that domain, also with SNI, and sizes of all the responses of course. And just the IP addresses and response sizes give enough information to figure out what domain is visited, never mind seeing it in plain text in SNI.
I'm just not seeing how Comcast can't still know where you going, since obviously you are routing your traffic through them and they see the IP address; how is the IP not giving them enough information to figure out where you are going? Is encrypted DNS only going to work for a handful of sites running in some special way, or is this supposed to work for everything?