False dichotomy. Not only am I pretty sure Sonic isn't selling my DNS queries, I've already opted out of DNS over HTTPS. Refusing to respect the choices I've made is worse than not.

Besides, unencrypted SNI means that if my ISP wanted to get the hosts I was looking at, they could.

Unencrypted SNI is fairly rare now.

Is it? The best I could find was a bit from 2021 that showed 92 of the Alexa Top 1000 site supporting ESNI. If adoption has skyrocketed since then that's great… meanwhile Firefox is showing HN negotiated a TLS 1.2 connection with no ESNI support.

Yeah. I noticed even server-side software is using it less too. Kind of annoying if you use SNI inspection as part of your egress security.

Can you elaborate on why you'd want to opt-out of DNS over HTTPS? I was under the impression that it was useful and good for privacy, but I may be misinformed.

It breaks DNS based blocking if you have it setup. Some people setup ad-blocking so that it encompasses their entire network and the way this works is that it silently drops DNS requests to ad domains on the edge of your local network.

I have a local DNS server to access servers and other resources on my network. DNS over HTTPS breaks this.

It doesn't actually break this but it does leak all of your local DNS queries to Cloudflare.

I trust my ISP a lot more than cloudflare, in part because there's actual competition and I picked one with a strong privacy focus.

And in some/many jurisdictions, your ISP is more regulated by your local government (also in regards to data protection) than cloudflare who has no obligation to you.

Picked...an ISP? What is this fantastical idea?

- An American

Granting monopolies by deafult even if geographically contained might not end up being the best way to go about competition and free markets