[judge2020]

The issue comes from network operators wanting to control DNS from being a middleman in the connection, but there is no way to ensure the people acting as middlemen in the connection are authorized to be in the middle or authorized to change those DNS requests.

If a network operator can change DNS, then the ISP, network hops, or a malicious twin AP can as well.

[stupidthrottle]

> If a network operator can change DNS

The network operator provides an IP through the DHCP response, which also includes proper DNS-settings for that network.

How is this malicious or replacing “your” DNS? The DNS belongs to the network.

[judge2020]

ISPs also provide "their" DNS rr's. That does not mean you have to use ISPs' DNS RR to access the DNS.

> The DNS belongs to the network.

This is the question - should the network really be able to tell the client what IP corresponds with a DNS name? if no, then there's no good solution to blocking websites where you can't install things on the client's device. Meanwhile, if you say yes, then you must also say yes to ISPs being able to tell the client what IP corresponds to a DNS name. The only solution in an enterprise context is to buy new hardware (or install a software update if Cisco is feeling benevolent) that runs a DoH server. In a school-bocking-porn context, you could ban the biggest offenders via IP (mindgeek sites have a dedicated IP space I think, and you could cron your own DNS lookups for other non-CDN sites) and use SNI whitelist until eSNI is added to iOS.