[josephcsible]

Because if you're on the kind of malicious network that's the reason to use encrypted DNS at all, then your connection attempts on port 853 will probably just get blocked wholesale. DoH is better since it looks the same as all other HTTPS traffic.

And you can still block ad and scam domains with DoH. Either do so with a browser extension, in your hosts file, or with a local resolver that does the filtering and then uses DoH to the upstream for any that it doesn't block.

[dev_l1x_be]

> And you can still block ad and scam domains with DoH.

How?

There are certain browsers that ignore your DNS settings and talk directly to DoH servers. How could I check what is that the browser requesting through a SSL session?

Do you want me to spoof a cert and put it on a MITM node?

These are my nameservers:

   nameserver 10.10.10.65
   nameserver 10.10.10.66

If the browser plays along than talking to these is the safest bet for me because it runs AdGuardHome and removes any ad or malicious (these are interchangable terms) content by returning 0.0.0.0 for those queries. I use DoT as uplink so the ISP cannot look into my traffic and I use http->https upgrades for everything.

For me DoH makes it harder to filter the internet.

[zamadatix]

There are a plethora of ways to control whether the browser uses its own DoH or the system DNS. Some inside the browser itself, some in the machine's OS, and some from the local network.

You can also configure the browser to use your chosen DoH server directly, but this is often as much work as just telling the browser to use the system DNS server and setting that up as DoH anyways.

[josephcsible]

AdGuard has a DoH server. Just configure your browser to use https://dns.adguard-dns.com/dns-query for it.