Why is DNS based blocking getting difficult? You run a bind server and tell it what it can and cannot resolve. It can even listen on DoH so you get transport security between peer and local dns server.
Your browser (or your tv) can just skip your entire dns infra and make its own lookups over https- which you won’t see.
That’s the evil genius of doh- you can’t block 443 and their “dns server” could be the same hostname as the site you visit … and now we’re discussing mitm’ing ourselves…
AdTech increasingly uses CNAME cloaking-style tricks to evade DNS blocking. Some of those tricks are detectable, but DNS blocking will inevitably fail once ads are served from the first party domain. It's still rare, but simple CNAME cloaks specifically have seen an uptick in the last few years.
That’s the evil genius of doh- you can’t block 443 and their “dns server” could be the same hostname as the site you visit … and now we’re discussing mitm’ing ourselves…
Sigh.