EFF view on DOH and potential privacy problem with it

Encrypted DNS could help close the biggest privacy gap on the Internet. Why are some groups fighting against it?

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption.

Because of this, anyone along the path from your network to your DNS resolver (where domain names are converted to IP addresses) can collect information about which sites you visit. This means that certain eavesdroppers can still profile your online activity by making a list of sites you visited, or a list of who visits a particular site. Malicious DNS resolvers or on-path routers can also tamper with your DNS request, blocking you from accessing sites or even routing you to fake versions of the sites you requested.

Read on: https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups

Personal remark. DOH is by passing Pi-hole what is not desired. You could alter Pi-hole to be also be DOH but that has many pitfalls that is not feasable to be implemented in a short time.

You need a valid TLS certificate and running the service internal makes it complicated.
You need a external dummy site and then you could use alternate to cover the internal interface.

AVM, known from the Fritz!Box router will start to support DOH in the future.