“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver.”

Building on that guidance, there should ideally be an RFC or standardized mechanism for locking down browsers and operating systems so they can use only approved DoH servers. With such controls in place, clients could be configured to direct all DNS queries to a local resolver (such as pfSense Unbound), while the firewall enforces that any DNS-over-HTTPS traffic is forwarded exclusively to an authorized upstream resolver. This would re-establish enterprise DNS security controls, especially given prior incidents where attackers have abused DoH for command-and-control purposes.

Since this does not currently exist when can the Snort user base expect DoH rules to help with security concerns of users bypassing official enterprise DNS servers?