Help me get my head around DNSCrypt and DoH/DoT
I want to adopt these technologies b/c I'm moving to a home w/o WiFi: I'll only use mobile networks in order to save some money. But the general pipeline and setup are hard to digest, and I'm not sure if I really understand what are the implications for my privacy, except for the fact that DNS queries are encrypted so I don't leak domain names. This is especially important to me because Turkish internet law and the censorship mechanism is really intrusive, with DPI & DNS blocking. My current ISP does not fiddle with my HTTPS traffic, but I won't have that with my mobile network.
I'm also considering a VPN, but major VPNs are blocked here. To what extent do the purposes of VPNs and these DNS solutions overlap? Assuming most of my important traffic is over HTTPS+DoH/T, how safe am I, and most importantly how much can I penetrate the censorship mechanisms?
For starters, you may want to look at an OpenWRT or DD-WRT travel router, such as this.
If there's a wired Internet connection at your destination, you can plug in the travel router for a wireless bridge, and then use its native OpenVPN support to connect to the VPN of your choice. If you can establish a VPN connection, there are VPN providers which run uncensored, unlogged DNS servers, and this would be your preferred method.
I've used these devices to circumvent wireless security issues and hotel network proxy snooping/ad injection for years. It's sometimes slow, but much cheaper and more reliable than relying on mobile data, at least in the U.S.
As to DNSCrypt, etc., you're only guaranteed encryption of your resolution requests, not the remainder of the traffic. Also, depending on your ISP, you may not be able to reach an uncensored DNS server. Likewise for VPN server blocking. Have you tested direct connections to VPN servers by IP, rather than name resolution?
Update edit: With a little more research on Turkey's DPI deployment, it looks like you'll need a VPN provider that offers "stealth" VPN support.
Footnote: I've had considerable success with NordVPN, including testing of its Secure VPN (Obfuscated Servers, etc.) features against DPI with the Security team at work. I suspect, though, that it's going to be an ongoing battle with a nation-state program, and I don't know to what extent this may make you a target for law enforcement.
Whoops, sorry: I meant no internet, not only WiFi. I won't have an internet connection there: I'll mostly be in the campus or in cafes studying and possibly working, so most of my internetting will be over mobile networks or insecure public wireless networks, unfortunately. I haven't worded my post good enough.
But nevertheless, your comment is great advice! Thanks a lot!
If you decide to not go with a VPN, take a look at the adguard app. It is primarily to block ads, but it also makes using dns over whatever really easy. I am pretty sure you can do that without even paying for it. It already has the major dns providers setup, and you can add more easily.
It looks like that piece of software is proprietrary, I'm not sure whether it's good advice to recomment non-free software for security and/or privacy TBH. But thanks for the recommendation anyways!
VPN Unlimited has a stealth protocol, too. They call it Keepwise.