I guess they could theoretically block the DoH server(s) by IP. The problem is overblocking. They cannot tell if you’re accessing a webpage or a DoH server. They are basically the same thing.

Of course in terms of privacy the DoH provider can tell what domains you requested. But that is true with every DNS service.

Yes, everyone should set up DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). You can do this at the browser level, like you just did in Firefox, or at the OS level.

You can also block ads this way, by cutting off connections to known ad domains before they even start. Mullvad runs a free ad-blocking DoH server anyone can use. See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls for instructions on how to set that up on your OS.

Firefox has also just announced a built-in VPN, which could help get around other types of ISP-level censorship. That’s probably the only free VPN I’d trust, personally. Mullvad and Proton are well-regarded paid VPNs if you want to go that route.

You have weak dpi system in ur country then. the gfw and dpi aint just playing with ip blocks no more—they straight up dropping any ech packets on sight and nuking quic udp 443 to force that tcp fallback so they can sniff your sni while using active probing and ja3 fingerprinting to instant-kill any encrypted stream that dont look like a regular chrome handshake 1:1 and now they even doin alcpn hijacking and timing analysis

To your last question there’s a technology called encrypted client hello intended to solve that problem.

I’m using NextDNS, I enabled all of the security filters, and I also block piracy and NSFW sites so I don’t accidentally access them without a VPN.

I’m not quite satisfied with NextDNS, but it’s the only option on which I can block the xyz, click, and top TLD’s.

idk the technical details much but DoH/DoT doesn’t bypass DPI for most websites for me in South Korea. zapret/GoodbyeDPI works.