ISPs can and do sell your information, and can also be served a warrant or NSL. Cloudflare, by contract, is prohibited from doing the former, which is a net improvement even if they're still subject to the latter.
It's an incremental improvement, but a positive one.
I would certainly love to see an even better protocol for Internet name resolution that prevents anyone from having name-lookup information, but in the meantime, DoH seems like a huge step forward in ensuring that no unencrypted traffic is visible to the ISP or local network.
Your ISP, however, is not prevented from collecting and selling your data by DoH. So the addition of default DoH in cloudflare adds an extra party that can intercept your traffic but does not remove any.
> DoH seems like a huge step forward in ensuring that no unencrypted traffic is visible to the ISP or local network
DNS traffic is a much richer and more valuable resource than a simple list of IP sessions.
Yes, of course your ISP can see who you're connecting to and sell that, but denying them (and anyone else) the ability to collect all DNS traffic is better than not denying that.
DoH is significantly richer than DNS itself because of session reuse.
DNS is cached, other than potential ambiguity related to shared hosts (which can be resolved by looking at SNI)-- I'm failing to see how DNS is richer than the traffic itself. Less costly to monitor? Sure.
It's an incremental improvement, but a positive one.
I would certainly love to see an even better protocol for Internet name resolution that prevents anyone from having name-lookup information, but in the meantime, DoH seems like a huge step forward in ensuring that no unencrypted traffic is visible to the ISP or local network.