Unfortunately, with DoH, this now means that I have to go scorched earth and block all common DNS server IPs at the firewall. You use my gateway to resolve (DNS - 53) or you're out of luck.
I suppose it's only a matter of time before even the cheapest IoT junk just establishes a VPN to its maker's cloud and sends zero unencrypted traffic.
You should solve your problem by not putting non-FOSS IoT devices onto your network, not by doing the same kind of tactics that the bad guys trying to censor other people use. And your way will become impossible once DoH servers end up being hosted at the same IPs that important Web servers are also hosted on.
I do. But people have families, and if husbands, wives, children and grandparents want to buy a fancy lightswitch, well, we do the best we can with what we have here in reality. Should everything be FOSS? Sure, that would be wonderful. But so would exposing settings regarding which DNS server to use, and honoring them. Which is funny, because the exact companies I want to block are the ones putting out devices that do none of the above.
Unfortunately, with DoH, this now means that I have to go scorched earth and block all common DNS server IPs at the firewall. You use my gateway to resolve (DNS - 53) or you're out of luck.
I suppose it's only a matter of time before even the cheapest IoT junk just establishes a VPN to its maker's cloud and sends zero unencrypted traffic.