I personally use doh_blacklist with around 170ips, where I block outgoing traffic for known (publicly and not so) internet reachable doh resolvers. There is no problem(+) - everything works perfectly.
ipset create blist_doh hash:ip hashsize 1024
for ip in `cat /etc/bin/blist_doh.txt`; do ipset add blist_doh "$ip"; done
iptables -A <insert some iptables placement specific to your outgoing/forwarded traffic> -m set --match-set blist_doh dst -j DROP -m comment --comment 'SPY:all ext DoH BLOCKED'
Still, as of 2021, doh rule is around 2% traffic logged compared to my other rule, where I simply block outgoing 53/udp (except my resolver). a LOT of your devices ignore your dhcp dns settings and try to circumvent it going directly to shady 8.8.8.8 etc.
(*) you shall every few months check and update it.
ipset create blist_doh hash:ip hashsize 1024
for ip in `cat /etc/bin/blist_doh.txt`; do ipset add blist_doh "$ip"; done
iptables -A <insert some iptables placement specific to your outgoing/forwarded traffic> -m set --match-set blist_doh dst -j DROP -m comment --comment 'SPY:all ext DoH BLOCKED'
Still, as of 2021, doh rule is around 2% traffic logged compared to my other rule, where I simply block outgoing 53/udp (except my resolver). a LOT of your devices ignore your dhcp dns settings and try to circumvent it going directly to shady 8.8.8.8 etc.
(*) you shall every few months check and update it.