Hello *,
@Sorin-Mihai Vârgolici: EHLO, it's nice to see another Postmaster on this list... :-)
although I basically agree with Michael, Tapani made a point: If we decide to build something that intents to block DoH in Firefox (what about other browsers, anyway?), the administrator of an IPFire machine should be able to turn it off easily - which would be something different than the "turn DNSSEC off" switch requested countless times by now.
Needless to say, if Mozilla decides not to honour use-application-dns[.]net anymore - which I expect to happen as some ISPs probably want to continue snooping on their users DNS traffic -, we are at the very beginning of this battle again.
Besides this canary domain, the links mentioned in https://lists.ipfire.org/pipermail/development/2020-March/007134.html might be helpful, too, but that would require some sort of deep package inspection, which I advise against.
It seems to me like the internet is getting worse all the time, and unfortunately, DoH as used by Mozilla does not make it better...
Thanks, and best regards, Peter Müller