"However, even if you enable DoH in your browser, it’s up to the DNS provider to implement it"

Ah, you missed the 2nd part of the lesson. Understand.

That means that the DNS server you are using must support encrypted DNS .
Unless you're a radical individualist like me, the vast majority (guess - 99%+) use the DNS servers your ISP provide when your modem/router/whatever connects.

However, ISP's like to push adverts in your face using this system. Addionally, if the ISP wants to, they can track where you go using that info, too.

Windows default networking does this automatic, and if you have a router, that would do it too, It's the default among most home setups.

Oddballs like me don't have to worry about it. I have been running my own DNS server for at least a decade now because I don't like that being used to shove ads in my face. It's also hella faster than my ISP's servers or any other public servers. It should be, it's on my own network.

So, Firefox/Chrome and others are moving to support encrypted DNS. There's a new setting in Firefox, right in where you can set a proxy if your conn. needs one. You can tell Firefox to use whatever nameserver you specify there, and it will use it. There are legitimate defaults offered here,

So, while the rest of the computer uses the default non-encrypted DNS, Firefox uses encrypted. It ain't perfect, but at least it provides some privacy for browsing.

I'm sure Chrome has similar settings, but as I don't want Google tracking my every breath with their browser, I won't install it.

that's what I meant what if it doesn't support such encryption? (precisely because they want to track where you go)

then is the only solution's to run your own DNS server? but then how does that even work? would you need to have a "URL <-> IP" list for each & every website you can visit? (since you dont rely on a public DNS server to resolve the addresses)

like you'd have a text file with lines like "www.google.com = 216.58.204.131" and millions of other such lines for every other website
and that's not counting email servers

That's simple. Don't tell Firefox to use a server which doesn't support encryption. Two suggestions are offered in Firefox's options, and both will support encrypted DNS. That will protect your browsing with Firefox.

If you want to nail down your entire computer, or network, it's best to run your own server.

In my setup, it was a natural extension of what I already had set up.

My network setup for 20+ years has been a *nix (Free BSD or Linux) machine connected to the uplink provider's modem. This machine has two network interfaces, "inside" and "outside", I run various services and applications that I want all machines on the inside network to have access to on this, and it also provides a very effective & flexible firewall solution. None of the services I have running for the inside network will even listen for connections coming from the outside, let alone answer them. The firewall would block the software from ever "hearing" a request from the outside as well, so it is secure.
In addition, these days, that machine also runs Plex media server software and has TV tuner cards in it, so it is the basis of all OTA TV, including DVR capability.

DNS is a distributed database operated by a central authority that anyone can access. Although I suppose there are windows ports for it, almost all DNS servers in the world are running the DNS daemon (BIND) on unix based machines. It was a simple matter to install that software on the *nix based head end machine & then tell all the clients (inside computers/gadgets/etc.) to use that as the DNS server. All inside machines get their network config from the head end machine via DHCP anyway, so it is simple to tell them to use the head end box as their DNS server.

Aside from some custom configuration allow it to resolve the internal network names and addresses of the inside machines, it's basically an "out of the box" configuration. So basically, I'm duplicating the DNS service your ISP would provide you with myself. Same software, same sources for data, the whole 9 yards. Except they can't spy on me, of course. Nor can they shove advertising at me.

Yeah, it did require a little learning, but it was fairly easy.

I don't know your background, so this may or may not make sense to you.
There are many places on the 'net you can educate yourself regarding this, here is one basic sample site:

https://computer.howstuffworks.com/dns.htm

so that central DNS authority is NOT the same as a DNS server? that's where I was confused
if it's not the same then do those DNS servers basically download that entire database onto their own servers?

if so why can't everyone just directly use the central authority for their DNS? (what's their IP?)

Anyone who wishes to do so can use it. But it's not as simple as just putting its IP into your computer's settings, it doesn't have a single IP.
You have to be running a program aka daemon that can interface with this system. The most widespread one is BIND.

There are many sources of information about this on the Internet, as well as books you can purchase to read.

Well, I guess SR screwed his computer's networking up......

u wish

anyway why can't we just put the IP (or several - primary & secondary) of the top DNS authority into our network settings? that'd make it simpler

for instance 212.217.1.1 & 212.217.1.12 are both IP's of the central DNS authority right? not mere 'DNS servers'

You still haven't completed step 2 of the assignment. Understand.

It's not a "central authority", it's distributed.

For example, I have BIND running on my head end. When it needs to do a lookup, it consults a central authority to find what server is authoritative for that domain, which replies with the IP of that domain's server. Best way to get information, go to the horses mouth. BIND then consults that server to get the IP address.

While there is no restriction preventing anyone who wants to use it from doing so, it's not meant for the average home user.

??

http://shop.oreilly.com/product/9780596100575.do