Yes, everyone should set up DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). You can do this at the browser level, like you just did in Firefox, or at the OS level.

You can also block ads this way, by cutting off connections to known ad domains before they even start. Mullvad runs a free ad-blocking DoH server anyone can use. See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls for instructions on how to set that up on your OS.

Firefox has also just announced a built-in VPN, which could help get around other types of ISP-level censorship. That’s probably the only free VPN I’d trust, personally. Mullvad and Proton are well-regarded paid VPNs if you want to go that route.

I’m using NextDNS, I enabled all of the security filters, and I also block piracy and NSFW sites so I don’t accidentally access them without a VPN.

I’m not quite satisfied with NextDNS, but it’s the only option on which I can block the xyz, click, and top TLD’s.

Another poster said there’s lots of ways to get past doh/dot and they’re right. The goal is to run your ech packet safely to your dns server. To that end, make your vpn server connection first then ask for ech from your trusted doh/dot server.

If you’re dealing with dpi you gotta fuck up your packets a bunch to get them through. It makes things slow.

A good way to avoid dpi is to just not deal with it. Often dpi systems are at border crossing points so if you connect to your trusted vpn endpoint inside the borders of the place you’re trying to obfuscate from you can make it out to a dot or doh.

idk the technical details much but DoH/DoT doesn’t bypass DPI for most websites for me in South Korea. zapret/GoodbyeDPI works.

Just an fyi, dnscrypt-proxy allows you to run a local DoH server you can use with Firefox, so you don’t have to trust some public server.