Reply to post:

DNS over HTTPS differs quite a lot from a VPN

VPN's provide you with an encrypted tunnel between point a and point b depending on how they have been configured depends what traffic gets routed to them, i.e. most remote access vpn's provided by an employer would only direct traffic destined for corporate subnets i.e. all traffic to 172.16.0.0/16 will go via the VPN, unless they are set to replace your default gateway/route when all traffic goes via the VPN (which is good for paranoid employers as all requests can go through their content filters, just crap for end user as your connection will be slower especially if you have a 50Mb+ connection at home and a crappy 20Mb line at the office....). DNS requests sent via VPN are still plain text in terms of protocol just the transmission is encrypted, and still susceptible to monitoring/filtering once they exit the tunnel.

DoH on the other hand (from a high orbit viewpoint) stuffs the UDP payload of a DNS request into a TCP HTTPS request on the client, which is transmitted using TLS (SSL is dead, deprecated should not be used, only exists as an acronym for spotting people who either used to know what they were on about or never knew in first place) to a centralised proxy controlled by the browser maker (google or mozilla here) which accepts the HTTPS request, decodes the payload and performs a normal DNS lookup, which then sent back as a HTTPS reply to the client, which decodes the DNS response and handles as usual.

Essentially its protocol stuffing and open to debate if its a good thing to move away from a decentralized name system, back to something similar to the walled gardens of AOL and Compuserve from the time that every publication came with a set of coasters.... although that reality is a way down the rabbit hole, its not unreasonable to expect google to game responses with paid for preferential results etc. The tricky bit is that by making it a client feature it can and will by pass the network config of the host, i.e. by default chrome would make DoH requests and you would have to go about:config diving to disable this (each and every auto update) and use the DNS configured on your adapter, which unless you have overiden your ISP's defaults will be their name servers. (this could also make life tricky inside enterprises running a split brain DNS for intranet access using the corp domain name)