Comment by vladvasiliu

> Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.

You may be breaking things altogether, actually, since many of the devices for which this song and dance needs to exist don't actually offer a way to alter certificates. I don't know that my smart tv actually uses DoH (it's not physically connected to the network), but I have no idea how I'd add a trusted certificate to its chain, even for other purposes.