Fair enough. Doesn’t bode well for DoH in authoritarian regimes.

Even Palo Alto notes that they can only effectively block DoH if you’re MITMing all https traffic already (e.g. using a root certificate on corporate-managed devices). If not able to MITM the connection, it will still try to block popular DoH providers, though.

https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/313171