The bottom line depends on how paranoid you are…
People often confuse concepts and are not fully able to visualize the sequence of actions.
Let’s start from the beginning.
Someone will always see the network traffic you generate. There is nothing groundbreaking or shocking about it. You just have to imagine it well.
The ISP and the network traffic of its clients are visible to the company and you can’t do anything about it because the network must work and transmit data. However, you can adapt some schemes of operation that somewhat limit this view.
What does the ISP see? Everything that is technically possible.
It sees how much data a specific client sends down/up with a time/date stamp, what protocol, what port, to what IP addresses, it is able to recognize to some extent every popular application protocol, even the encrypted ones. It can see if, for example, given traffic regarding torrent, https, vpn, etc.
Can ISP see content that is properly encrypted? No, but isp is aware of such network traffic all the time, but what exactly it contains will not be seen.
What does the ISP see in the case of dns over https traffic?
The ISP sees which client, time/date, how many KB/MB data in which direction, destination IP address, whether v4/v6, port, and that https.
However, it is not able to see the content, i.e. domain names.
The fact that you restrict your ISP’s view of your activities does not change the fact that another ISP will see your content. Your VPS will query some dns server for these domains and this traffic will be visible to brokers. Unless you also use DOH for the dns server here.
The same principle applies to tunnels of all kinds. If you initiate a vpn to your server from home, your ISP and server provider will still see the same things… data amount, protocol, port, IP address, time/date. They will be aware that there is a tunnel between A-B, but the content is encrypted and they will not know it, with one exception! Your traffic needs to go out into the world so your vps provider will still see what you are doing over their network but as long as you use encryption the content will remain a secret.
People hear a lot about vpn, doh and sometimes they think that they can become invisible everywhere, anytime, and to everyone. No, because network traffic has to be transmitted and sometimes has to travel through many networks and reach the recipient in some form, it’s not magic that packets teleport from your home pc to a server in the forest and there will be no trace left.
Data collection and tracking is something else, but that’s another story, much more complicated and very difficult and often impossible. But that’s where the FBI is after you, not a nosy ISP.
If you want your home ISP to have absolutely no insight into the content of dns queries, use DOH. But don’t forget that any other ISP you use mobile will be able to see the domains if you don’t use DOH there too.
P.S
Does it make sense to create a tunnel between PC-VPS and run DOH in it? No, imho it doesn’t make sense. Either we send all traffic via VPN or we use DOH.
The ISP will still see our https traffic, so if you don’t hide your https activity to different sites, there is no point in hiding DOH traffic either.
P.S 2
ISP data correlation? Possible and to some extent theoretically effective.
The ISP does not know the content of dns queries for domain names but will see that you are making other thicker https connections in the same time interval. Which will suggest that you received a response from dns and on such a correlation the ISP could determine domain names. But it’s a bit like chasing your own tail.
Will the spying ISP be able to determine the domain name if communication takes place with a large data aggregator, in 2023 web hosting is a mass of clouds, cdn, and all sorts of large servers with thousands of domains. On the basis of correlation, it will be difficult to guess the domains in such noise.
Is it possible in some cases to make a correct correlation between unknown content, dns transmission and https traffic to the target server? If that IP address only serves one domain then yes.
And what about the content of https packets, does the ISP see the domain before establishing the tls? Yes… SNI, before the TLS handshake is performed, the correct domain must be defined.
So we come to chasing our own tail… On the one hand, we hide our requests for domain names, and on the other hand, we generate traffic to these domains where, if the ISP wants it, it will find out.
Does the ISP see the full url? No, the data remains encrypted.
And suddenly TLS 1.3 arrives on a white horse… but
P.S 3
A bit of a side topic is when the ISP not only wants to see but also to modify our network traffic. I personally use DOH everywhere I can and only https.
If you really want to stay as hidden as possible from your ISP’s eyes, then run a VPN/tunnel/proxy (encrypted) between the LAN-Server. Then you will limit your ISP’s ability not only to look at dns queries (obviously don’t use dns from isp) but to look at SNI. But remember, you’re limiting it to just that one ISP!