Even if you are visiting a site over HTTPS, your DNS query that your computer uses to look up the address of the site, is sent over an unencrypted connection. This means that even if you are browsing over HTTPS, a third=party could be examining the packets sent to and from your computer and know which sites you are visiting, even if the don’t know the contents.
DNS-over-HTTPS (DoH) encrypts the address look up of the site you want to visit. This increase user privacy and makes it harder for third-party eavesdropping. It also makes it more difficult for ISP-level blocking.
This extra layer of security ideally prevents third-parties, such as network service providers, from easily seeing the websites internet users visit, and prevents miscreants from tampering with domain-name look-ups. Though DoH provides more privacy than the status quo, it’s controversial where lack of privacy is assumed or required, such as monitored environments that insist on content filtering, among other reasons.
Back in July, the UK Internet Services Providers’ Association nominated Mozilla for its “internet villain of the year” award because DoH breaks DNS-based content filters put in place to deny access to explicit, obscene or otherwise objectionable websites. A few days later, the trade group reversed itself after online blowback.