zlacker

> killing DoH conclusively on your home network is more difficult than you've made it seem

It's actually not too difficult if your users use Firefox. You can use enterprise policies https://support.mozilla.org/en-US/products/firefox-enterpris...

   /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
    * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
    * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
    * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
    * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
    * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
    * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
      // user_pref("network.trr.mode", 5);

It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.

>>dngray+(OP)
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.