If I do not disable it then I can not block nefarious domains for all devices on my network and I can not monitor what devices are doing DNS lookups.
I do not agree that it is good for privacy. Maybe one day if ESNI is implemented everywhere then there may be some truth in the idea, but that also assumes that we are not just moving the resolver from the local ISP to the big centralized platforms like Cloudflare or Google. Cloudflare and Google are by far the biggest and juiciest targets for state sponsored monitoring, much more than each individual ISP's DNS. As I have no control over their data retention and usage policies I just run my own DNS that talks directly to the root DNS servers and pre-resolves/caches all the domains name-servers that I talk to regularly. At best my tiny ISP would see my batch queries that run on a schedule. If some day my tiny ISP became nefarious I would put them out of business and hope that whomever acquires their infrastructure may be better behaived.
Yes, I disable it using the suggested method of returning NXDOMAIN for "use-application-dns.net". I do also disable it in applications such as the browser to avoid the log entries.
And then I have about 80 IP's that I blackhole. People often counter that with, "but DoH can run on any HTTPS endpoint and you can't block CDN's", and whilst this is true I have never run across a CDN performing front-ending DoH and I am the type of person that will block a CDN. I can route HTTPS for specific applications through my own VPN mesh if it came to that and use Squid SSL Bump MiTM proxies to sanitize URL's which I have done in the past. It would just be a couple ACL's in Squid to block DoH end-points. The only domains I can not MiTM are those still using public key pinning such as Paypal which I will never use, eff.org, and a few Google sub-domains. There are probably a few others I have not run across on my Squid proxies.
As a side note, I think PiHole should consider adding a feature for Squid MiTM proxy mode so that more people can do this, with options like peeling off specific LAN clients to use the proxy or force everything through it.
Blocking DoH at the router is almost impossible because it looks exactly the same as other HTTPS traffic.
The only option is to do a man in the middle like some business firewalls (eg zscaler) do.
I don't like DoH much either because apps can use it to bypass my local pihole. But blocking it is hard when an app hardcodes its own DoH server.
DoH is really a solution for a US problem that we in Europe don't have. Here it's illegal for ISPs to use deep packet inspection to datamine their customers.
That depends on what sort of privacy concerns you. I think DoH is awful because it allows DNS lookups that I cannot observe/filter/respond to without going to great lengths.
He needs to disable DoH in order to avoid firefox using HTTPS to conduct the DNS queries. This is needed if he wants to block the request through his system hosts files or firewall.
I do not agree that it is good for privacy. Maybe one day if ESNI is implemented everywhere then there may be some truth in the idea, but that also assumes that we are not just moving the resolver from the local ISP to the big centralized platforms like Cloudflare or Google. Cloudflare and Google are by far the biggest and juiciest targets for state sponsored monitoring, much more than each individual ISP's DNS. As I have no control over their data retention and usage policies I just run my own DNS that talks directly to the root DNS servers and pre-resolves/caches all the domains name-servers that I talk to regularly. At best my tiny ISP would see my batch queries that run on a schedule. If some day my tiny ISP became nefarious I would put them out of business and hope that whomever acquires their infrastructure may be better behaived.