Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level
Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level