[AndyMcConachie]

DoH is different because it masquerades as HTTPS traffic. You can block DNS traffic sent to servers configured in custom hosts files, but you can't block DoH unless you either have a list of every DoH server in existance, or block all HTTPS traffic.

That's kind of the entire point of DoH. DNS-over-TLS (DoT) provides TLS encryption for DNS traffic, but runs over port 853 so network operators can control where queries go.

[packet_nerd]

> You can block DNS traffic sent to servers configured in custom hosts files

You're thinking of configuring a custom DNS server, which is not related to the hosts file. The hosts file replaces DNS so there would be no network traffic to block.

Theoretically a kid who really wants his porn could manually add the name-to-IP entries for his favorite sites to his local hosts file, completely bypassing any DNS based filtering you might have on the network.

[simondedalus]

amusingly, putting enough safeguards in place that kids would do this would actually be providing some good education for kids on the path to hacking.

[close04]

If you want to prevent anything like this you either have strong (centralized) controls on the client side - policies hardening the client to the point where no reasonable exploitation avenue is left (no hosts file, no running portable browser, no changing settings, etc.), or strong controls on the network - proxy and make sure no matter what the client wants it goes only where it's allowed (no VPN, no DNS filter bypass, etc.).

Maybe the occasional brilliant kids will find a way, good for them. But there's a limit to how much "ghetto administration" you can do without expending any resources on it and still have your measures hold after a few weeks of curious students probing at them.

[simondedalus]

yeah, they're saying just route to the porn site through the custom hosts file.