Glad you brought this up. My day job involves finding malicious network traffic. DOH is really easy to detect because in suricata or bro/zeek you simply match new outbound connections with DNS responses. If you don't get a matching pair then you need to investigate why you have outbound traffic that is bypassing your DNS server. Note this is alpha stage code. I run this at home on all of my outbound traffic.
https://www.reddit.com/r/pihole/comments/embh63/i_made_a_thi...
Original.. https://github.com/morsgiathatch/suricata_edits/tree/master/...
Fork.. https://github.com/1stOctet/suricata_edits/tree/master/DOCKE...