Glad you brought this up. My day job involves finding malicious network traffic. DOH is really easy to detect because in suricata or bro/zeek you simply match new outbound connections with DNS responses. If you don't get a matching pair then you need to investigate why you have outbound traffic that is bypassing your DNS server. Note this is alpha stage code. I run this at home on all of my outbound traffic.