As someone said in the reddit post..
If my daughter figures out how to install a kali vm and then gets a reverse metasploit shell on the server, I would be so proud I would probably cry.
Key though is corporate infosec is similar to home infosec. If the user has local admin access, then the user can change any configuration.
If they did that, then hopefully they learnt a thing or two about networking :)
But I do wonder if bandwidth limiting certain types of applications would be more effective, like reverse qos. There was a post a week or so ago on HN about adding delay to websites that sucks away productivity.
edit: I went and did that on my home router (a ubnt ER-X) and was pleasantly surprised by how granular its DPI and QoS categorizes applications (by protocols, by domain, IM, social network, P2P). It even allows you to make your own categories of apps that are (ab)used often, and rate limit access to them on a range of local IP. I'm hoping that this would be more subtle than an outright block, and the not so instant gratification lead to voluntary reduction of mindless consumption.
I would definitely set that up for some time waster sites for myself, especially if I could borrow OP's idea to adjust the delay based on progress towards other goals. In my experience, Apple's Screen Time limit is just too easy to ignore, but on the other hand I'd be worried that mucking with DNS would disrupt me when I really need to get something done urgently.
Glad you brought this up. My day job involves finding malicious network traffic. DOH is really easy to detect because in suricata or bro/zeek you simply match new outbound connections with DNS responses. If you don't get a matching pair then you need to investigate why you have outbound traffic that is bypassing your DNS server. Note this is alpha stage code. I run this at home on all of my outbound traffic.
Key though is corporate infosec is similar to home infosec. If the user has local admin access, then the user can change any configuration.