You’re right, but looking further into this I found DoH is actually ran over https and it’s starting to be known as an abusive vector point. Leading to, most firewall rules not having a real ability to really mitigate it outside of a wake-a-mole response. Without some elevated IDS IPS rules to help fix this it’s kind of never going to be stop being abused. Wouldn’t you agree? I mean sure we can set the dns to whatever we want and some encrypted invasive container will do whatever it wants masked inside of port 443.