[everdrive]

It's a big concern. I can block DNS on my network (except for pihole), but I can't block QUIC, and certainly not HTTPS or TLS. If I know about an IP ahead of time, I can block those, but who's to guarantee that Google or any other nefarious service would always use a well known IP for DoH?

[uponcoffee]

How would devices use the obscure DoH IPs, there would have to be a method to update/lookup said IPs. That same method could be used to keep an up to date block list.

Alternatively, the traffic could be subject to heuristics to identify DoH connections.