Cloudflare is not the only DNS over HTTPS provider. For instance, Mullvad provides both DNS over HTTPS and DNS over TLS free of charge, with optional ad blocking, even if you're not using their VPN service. They have instructions for configuring Firefox and Android with their DNS endpoints:
I like to combine DoH with a VPN. The VPN doesn't see my DNS queries, and Cloudflare just sees a vague IP based in some vague colocation center. There is still plaintext SNI[0] to worry about though, which is being mitigated with something called ECH[1]. `Oblivious DoH`[2] is worth reading about too.
It can be both give and take. Just like a VPN, DoT/DoH is sensible if you trust your ISP less than your encrypted DNS operator.
Someone will inevitably pop in and remark, “I trust my ISP with my DNS queries due to regulations in my country!” Good, I’m happy for you. But some of us are stuck with Comcast.
I don't really buy the "centralizing" argument, any organization can join the TRR program. The main difference is that you have to agree to a bunch of baseline privacy requirements to join.
It turns out that not many organizations who operate a resolver are willing to agree to those requirements. Isn't calling that centralization like saying the health inspector is centralizing restaurants by shutting down dirty kitchens?
Every website you've ever visited or DNS query perfored is logged by your ISP due to that "decentralized" behavior. It's not decentralized when there's very few companies involved and a very long history of happy dragnetting.
My ISP is subject to GDPR, has an office down the road, I know people who work there, and is answerable to the Data Protection Commissioner. They have a customer service department that answers my calls in person within 30 minutes tops. So yes I trust it more than google or cloudflare. With DNS I have visibility and the ability to block on my own home network on all devices. I can even do MITM on apps to see what they are sending up. All this without any configuration changes on the Endpoint. If I want more privacy I can use VPN or Tor. DOH will send my traffic to Cloudflare and I won't have any say, visibility or blocking capability. Not all phones, ebooks etc ... Will be configurable.... This is a USA centric big tech data grab, plain and simple.
Everyone is dragnetting. GDPR means nothing when it's government sanctioned collection. Germany for example has a known history of data center black boxes.
Why not create a service that downloads a DNS cache of the - however many DNS names you can cache in a 10 or 100mb file and thereby allow a raspberry pi to reply to most dns queries?
This seems like a step backwards.