[1over137]

If I'm not mistaken, that will work only for regular old DNS, not DNS over HTTPS (DoH), which, I presume, uses port 443, not 53.

Seems like blocking Firefox and Chrome from usurping your DNS choices is going to be much harder going forward. :(

[stephen_g]

It’s going to have to work though. For example, corporate users absolutely require the ability to access private internal domains that are not served by public DNS servers. The browser vendors aren’t going to be able to enable DoH directly from the browser by default and break that.

I think the main reason the browsers have added support is so they can get the data they need to make encrypted SNI work. They’re going to have to get operating system APIs to be able to do this from the OS’s resolver or else it will screw all sorts of things up.

[sudo-i]

TLS it seems it actually uses port 853 (which I didn't know). https://tools.ietf.org/html/rfc7858

So I guess in theory you can block that port outbound to all hosts to handle TLS's use case.

HTTPS is tougher, but just block all traffic to those hostnames with a DNS blacklist.

[jlgaddis]

That's DNS-over-TLS which, while similar, is something completely different than DNS-over-HTTPS (DoH).

DoH does, in fact, use 443/TCP, just like regular HTTPS traffic.