The issue I am facing:
I noticed that Chrome/Edge/Firefox are not using Encrypted Client Hello (ECH) because DoH settings is not set to a public DoH DNS provider like Google / Cloudflare, the settings is set to "OS default (when available)". I've used Cloudflare tool which shows sni=plaintext (https://crypto.cloudflare.com/cdn-cgi/trace)
What am I trying to achieve
1- Set Up a DoH DNS Server on my local network, while having Pi-hole as the upstream DNS to preserve the DNS filters. Something like NGINX:443 -> Unbound:5353 -> Pi.hole:53 where NGINX will use self-signed
2- Setup Discovery of Network-designated Resolvers (DNR) to advertise the DoH DNS Server in my local network to allow Windows 11 and other devices to auto upgrade from plaintext DNS. I think to achieve this pi.hole need to allow setting custom SVCBrecord for _dns.resolver.arpa (see this feature request Configurable SVCB _dns.resolver.arpa record to allow DNR for custom DoH)
- I'm not trying to enable DoH between the Pi-hole and the upstream DNS here, but rather enable DoH for my local devices while preserving the blocking features of Pi-hole
- I've already seen this topic which was closed DDR and DNS over HTTPS/TLS as it would not be implemented in Pi-hole itself, I am trying to achieve this using any different tools
- I feel this is browser limitation where DoH is required to use ECH even though the DNS is already providing the needed HTTPS records