> I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.
DoH isn't really going to look like https, the requests and responses are going to be too small.
If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.
DoH isn't really going to look like https, the requests and responses are going to be too small.
If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.