[TacticalCoder]

> Do FireFox, Chrome and Safari still use unencrypted channels for DNS queries?

Firefox for sure has a "corporate" setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).

AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.

I force all my browsers / wife / kid's browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).

That DNS resolver can then, if you want, only use DoH.

To me it's the best of both worlds: "corporate" DNS setting to force UDP port 53 and then DoH from your own DNS resolver.

The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.

You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.