I am not misunderstanding anything. Let's terminate this conversation, I can see that it will not get anywhere.
It's amusing that you actually believe that you can 'check the logs' to detect all DoH being performed on the machine. Would you be willing to disclose your employer? "I can check the logs" sounds like something a naive systems administrator would say.
I'm glad that 'security' is your thing. The best thing about the internet is that you never know who you are talking to... Even when you meet people that wrote the parts of the operating system you're currently using.
I never said you could log all DoH. You’re not following what I’ve said. If you’re relying on DNS for your security posture in anyway right now you’re in a really bad place. Having those non malicious dns requests in the clear are a safety blanket at best. Check the default DoH resolver and the systems DoH logs. Then look at network traffic and then for gaps. Programs that use their own resolver and just mix it with there own TLS traffic can be observed, even without knowing the DNS record, the ip is enough.
Also feel free to Google me, creepy as it is, I’ve no idea why my specific employer would help this discussion in anyway.
PS the victims of solarwinds had dns and it didn’t help them. Expecting the attacker to use a known IOC or contact an obvious C&C domain is where the industry is at. My opinion is DoH will actually force blue teams to build systems that are effective. My chosen model is parallax. Known behavior, known states that can be checked.
It's amusing that you actually believe that you can 'check the logs' to detect all DoH being performed on the machine. Would you be willing to disclose your employer? "I can check the logs" sounds like something a naive systems administrator would say.
I'm glad that 'security' is your thing. The best thing about the internet is that you never know who you are talking to... Even when you meet people that wrote the parts of the operating system you're currently using.