[donmcronald]

> This comes up in discussions quite a bit but in practice I have never seen that become a thing.

How would you even know it’s happening? Is it even possible to snoop on HTTPS traffic if you have a mobile device like an iPhone? Making it impossible to see is the entire point AFAIK.

[LinuxBender]

I have physical access to the devices and I can also see every device that is registered in DHCP making queries to Unbound. Unless a specific application is leaking requests to 443 I can say with certainty that they are using my DNS server. People on my network appreciate the ad blocking and I would hear about it if that stopped working.

[Edit] I should also add that I do not block VPN's. If someone wants to manually bypass my DNS they can do so with a VPN client. Perhaps some day all the browsers will start creating VPN tunnels to random CDN's on 443.

[donmcronald]

So you can tell they’re not using your DNS server, but you said:

> I block DoH/DoT quite successfully on my network

How do you block encrypted traffic that’s mixed in with normal HTTPS? I get that you can block the well known IPs, but that’s only a partial solution.