Re: Where do the keys come from?
"Is the key connected to the DNS server itself? In that case, you could identify all contact to the DNS servers"
They're not /just/ DNS servers.The provider side of this in practice is a large organisation with a lot of useful stuff being served over https; for example Google or Cloudflare.
So an attacker can identify that there's an HTTPS request going to Google or Cloudflare, but that's it. And it turns out that most organisations don't want to clock the entirety of Google or Cloudflare, because if you do that then an enormous amount of stuff breaks.
Very much the point here is to mix the DNS traffic that ISPs etc. want to mess with indistinguishably into something so big and vital that they can't just block it all.