[wvenable]

> DNS over HTTPS isn't a tool to block users from reconfiguring their own machines.

Yes it is. Effectively it takes the "machine" out of the equation entirely. DNS resolution happens between the app and the server without you have any say over it at all.

[netheril96]

I guess you can run your local DNS server and point the browser to that. The local DNS server can do all the filtering you want, and forward the filtered out requests to the outside DNS server.

[zelly]

the doomsday scenario the top-level comment mentioned is if they disabled that option. it's possible but very unlikely because it would make that browser unusable for many corporate networks.

[wvenable]

What corporate networks don't allow outbound HTTPS?

[zelly]

they run their own internal DNS resolvers

[wvenable]

Yes, but DNS over HTTPS by passes internal DNS resolvers and because it's HTTPS the corporate firewall would have no idea this is happening.

[AgentME]

And the application, the browser, is configurable by the user. There's no OS standard for DoH configurability so it can't just rely on the OS for that.

[sa1]

Apps that do that could always have used their own hardcoded IPs or local resolvers.