Ship has already sailed, it's called DoH. Please note, that it is to make your DNS safer and has absolutely nothing to do with removing your ability to resolve DNS in whatever way you want to(cough adblock cough).
DoH is intended to be indistinguishable from HTTPS traffic, if the application specifies a specific DoH server a DNS based ad block will not work.
Right now The ad companies have not really figured this out and DoH largely works like port 53 DNS did. But give it a few years. They will up their game and our ability to mitm our own dns queries will vanish. I will miss it.
And you can definitely mitm a non-configurable DoH resolver if you absolutely needed to do that, as long as you can add your own trusted CA on a device.
> Freedom of DNS choice has nothing to do with DoH
The attack vector that DoH offers is that data exfiltration companies will start shipping their own DNS resolver in javascript to work around DNS-based filtering. They can't do this with regular DNS because the network traffic can still be observed and blocked independently, but how will you block a browser from accessing specific https URLs without MITM'ing all traffic?
So yes, DoH does have something to do with DNS choice: it can completely subvert the OS-provided domain resolver service as well as the browser-configured one.
I guess I just missed that?!
I'm running a mix of Adguard and nextdns blockers on some of my mobile devices, and both are apparently handling the DoH issue for you; by just blanket blocking the resolvers and/or ports, to force a fallback....
I need a Beer.