[zinekeller]

> Browsers (like firefox) are enabling DoH by default

If you are using a filtered DNS, there is a domain (use-application-dns.net) that you add to tell Firefox to not activate it (unless if the user explicitly activated it). It's already included in Pi-Hole, and some hosts list includes it (despite Firefox prioritising hosts list before DoH).

Plain-text DNS are redirectible (technically a hijack, but whatever).

Ironically, I think that most IoT devices will be the one with hard-to-shut-off DoH/DoT: even worse, they have the incentive to develop a proprietary protocol for ads, so the next step-up would be IP blocklists. Or, I dunno, just hostage your device if you don't allow internet connectivity.