> ...how does using encrypted DNS prevent your ISP seeing what websites you go to?
It doesn't do this by itself. It just prevents one method of data collection.
The ISP can easily connect your IP to your subscriber information, and their DNS can log every lookup made by your IP. Even if you use another DNS, since it's unencrypted, they can (and likely do) sniff that traffic and collect the same information.
> Can't ISPs still see the eventual target IP address, and do a reverse DNS lookup of that?
Sure, but this requires a slightly higher level of effort, and also assumes that you're not connecting to a CDN, which can make your requests pretty opaque.
> Even with HTTPS/TLS I thought encryption is done after a handshake isn't it, which would imply a TCP level connection is made first which would be sniffable?
Right, and even with SNI, the requested hostname is still sent in the clear. I hope this will be fixed somehow in future implementations. In the meantime, if you need to treat your ISP as absolutely hostile, then you need a VPN or some other kind of encrypted tunnel or proxy.
It doesn't do this by itself. It just prevents one method of data collection.
The ISP can easily connect your IP to your subscriber information, and their DNS can log every lookup made by your IP. Even if you use another DNS, since it's unencrypted, they can (and likely do) sniff that traffic and collect the same information.
> Can't ISPs still see the eventual target IP address, and do a reverse DNS lookup of that?
Sure, but this requires a slightly higher level of effort, and also assumes that you're not connecting to a CDN, which can make your requests pretty opaque.
> Even with HTTPS/TLS I thought encryption is done after a handshake isn't it, which would imply a TCP level connection is made first which would be sniffable?
Right, and even with SNI, the requested hostname is still sent in the clear. I hope this will be fixed somehow in future implementations. In the meantime, if you need to treat your ISP as absolutely hostile, then you need a VPN or some other kind of encrypted tunnel or proxy.