Not the person you responded to, but I too run my own resolver on my router. I also have the router configured to drop [1] all outgoing packets to any DoH IPs; there are a bunch of lists for those, like https://github.com/Sekhan/TheGreatWall
[1]: Specifically, to reject them, which means sending a TCP reset / ICMP unreachable response back rather than blackholing them.
I run a DoH resolver domain-fronted by Cloudflare... Blocking it at IP level would mean blocking other Cloudflare proxied websites. With IPv6, a DoH endpoint rotating between various IPs might get even more trickier to block.
A better strategy might be to look at the SNI for hostname at least until ESNI becomes prevalent (the one I run supports ESNI already).
So if I understand this correctly, this provides a way for example.com to suggest a DoH server that the client can use to resolve example.com's subdomains? I can see it being problematic because it'll bypass my resolver's ad-blocking.
I don't use any Apple software or hardware, but if Firefox starts using it I'll start worrying about it.
[1]: Specifically, to reject them, which means sending a TCP reset / ICMP unreachable response back rather than blackholing them.