i block DoT and DNS-over-Quic since they use specific ports.
DoH is hard but most devices that i worrie about does not use it yet so i am not doing anything.
If this start becoming a problem either we will need to build a list of DoH server addresses to blacklist and this will be a cat and mouse game. Or you will need a https middlebox to look at what is in there to see if it is DoH and block or not, and that bring a whole lot of other problems.
DoH is hard but most devices that i worrie about does not use it yet so i am not doing anything.
If this start becoming a problem either we will need to build a list of DoH server addresses to blacklist and this will be a cat and mouse game. Or you will need a https middlebox to look at what is in there to see if it is DoH and block or not, and that bring a whole lot of other problems.