This comes up in discussions quite a bit but in practice I have never seen that become a thing. There is technically nothing stopping a DNS provider from using random CDN nodes but unless you have found a working exception they all have well defined static IP addresses, sometimes even novelty IP's. Perhaps some day they will do this at the risk of CDN nodes getting blocked.
I block DoH/DoT quite successfully on my network, not to invade privacy but to block privacy invading sites and usage statistics that the current DoH/DoT providers gather. Thus far it has not been an issue.
I was surprised to find that cell phones automagically discover my DoT 853 listener on my firewall that is served up by Unbound. I do have a "_dns.resolver.arpa" hint record but nothing has ever queried it.
> This comes up in discussions quite a bit but in practice I have never seen that become a thing.
How would you even know it’s happening? Is it even possible to snoop on HTTPS traffic if you have a mobile device like an iPhone? Making it impossible to see is the entire point AFAIK.
I have physical access to the devices and I can also see every device that is registered in DHCP making queries to Unbound. Unless a specific application is leaking requests to 443 I can say with certainty that they are using my DNS server. People on my network appreciate the ad blocking and I would hear about it if that stopped working.
[Edit] I should also add that I do not block VPN's. If someone wants to manually bypass my DNS they can do so with a VPN client. Perhaps some day all the browsers will start creating VPN tunnels to random CDN's on 443.
I block DoH/DoT quite successfully on my network, not to invade privacy but to block privacy invading sites and usage statistics that the current DoH/DoT providers gather. Thus far it has not been an issue.
I was surprised to find that cell phones automagically discover my DoT 853 listener on my firewall that is served up by Unbound. I do have a "_dns.resolver.arpa" hint record but nothing has ever queried it.