In every case, once they get the server(s) to connect to you lose all further visibility unless you’re blocking 443 and forcing traffic through an inspection proxy.
Why can't you redirect all 53 traffic to a pihole and block that single name?
This is not hypothetical: it's how DoH works now but it's also how various things have worked for decades. Malware liked it for hiding command-and-control name queries from the few people who monitor DNS but it was also an option for anyone who had problems with buggy or malicious local DNS servers to add public resolvers like 8.8.8.8 or their own infrastructure into the search list so they didn't get support calls due to some ISP breaking their own DNS server.
The key part is remembering that this was always possible. DoH just meant that more people became aware of the gap they'd always had in their network management.
> Firefox, for example, sends hostname to SOCKS proxy without resolving it.
So a simple proxy can bypass local restrictions.
-----
I remember doing something similar back in my IT days just to see if it was possible. It was.
Then it won't do anything to DNS over HTTPS traffic that is going over port 443. And it won't be able to distinguish that traffic from any other HTTPS traffic.
Not going to be possible in a few years or so:
Just because it is not a silver bullet doesn't mean it is not effective for a large percentage of users.
