Comment by jsiepkes
9 hours ago
> A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
DoH is simply HTTPS traffic as far as a firewall is concerned so how are you going to block or decrypt it?
If you take it a step further and you are running a DoH server on the same place where the API endpoints (REST, gRPC or whatever) for your IoT device are running no one is going to see the anything but HTTPS traffic
HTTPS decryption in corporate environments is standard. Have a corporate root CA, install certs on endpoints, and man-in-the-middle the network traffic.