dns-server-setup VS doh-cf-workers

Yes, looks like the code you're looking for lives in https://github.com/AhaDNS/dns-server-setup/blob/master/files/scripts/bash/unbound_update.sh

Haha I know what you mean :) On the bright side it is open-source: https://github.com/AhaDNS/dns-server-setup

If Cloudflare Workers aren't blocked, you can use https://github.com/tina-hello/doh-cf-workers to forward to it, though it only work with DNS over HTTPS client (most desktop browsers, Windows 11, iOS, macOS, Intra on Android and YogaDNS on older Windows)

DoH is another game entirely, even if you import the known DoH domains manually, anyone including dedicated kids, can create their own DoH proxy in minutes.

Even those who weren't interested in self-hosting might spend a couple of minutes hosting their own DNS proxy since it's much more flexible and don't require root or dedicated port (at least with DoH).

While you can in turn block those DoH servers (and probably block port 853 too to stop the default DoT & DoQ traffic), there are ridiculous amount of public DoH servers available, partly because of how easy it is to self-host AGH and expose the DoH endpoint to the public. Anyone can even create their own in minutes.

If you don't want to set up AGH at home or at a VPS, accept that the phones need to use the NextDNS/Nebulo/Intra/AdGuard app set to your NextDNS DoH endpoint while you block other providers, though this doesn't actually stop others from using their own/generic NextDNS, or even any provider if their DoH client support bootstrapping. Also, unless it's a seriously fancy router that analyzes traffic statistics, blocking DoH is merely using public list of DoH domains, anyone can create their DoH proxy which won't be blocked. Some routers have SNI filtering which can block websites regardless of the DNS used, but then you need to provide your own blocklist.

That's probably SNI filtering, but try other servers from https://adguard-dns.io/kb/general/dns-providers/ and https://github.com/curl/curl/wiki/DNS-over-HTTPS/ just in case, or make your own proxy on https://github.com/tina-hello/doh-cf-workers

If you want to go that route, keep in mind the entire Cloudflare Workers and Cloudflare Pages subdomains (workers.dev and pages.dev) can be used as free DoH proxy. Sure you can put the nuclear option, but it would break sites that do use them.

A purely DNS-based solution is bound to be easily bypassed, it's really simple to bootstrap the IP so there's no need to even use the network/OS DNS to resolve the custom DoH domain, with hundreds of publicly known DoH and trivial deployment of DoH forwarder you're fighting a losing game.

Laughs in deploying personal DoH. In general that's only useful if the user doesn't want to bypass (ie, browser's DoH auto upgrade), but when there's a will...

There is some meager effort like this, but it's seriously trivial for one to create their own DoH proxy, or heck, just create their own NextDNS config. So even if you block port 853 (used by DoT & DoQ) and port 53 (unencrypted DNS), DoH traffic is simply unstoppable, yes there is traffic analysis, but with DoH3 it would be impossible to detect an innocuous-looking website serving regular traffic has a hidden DoH endpoint.