even with Dns Over Https or Dns Over Tls you are still leaking the name of the server you are connecting to (example.com, sub.example.com) via SNI, an extensions of TLS used by servers to decide which certificate to serve (one of the best examples is cloudflare).
Encrypted Client Hello tries to solve this by encrypting the client hello (the first packet sent by the client in the TLS handshake) (its predecessor is ESNI, it encrypted only the SNI extensions but it was vulnerable to a couple of theoretical attacks) but it doesn't really have decent support (you can enable it on firefox but it's behind an about:config flag and it requires support on the server side too).
reply