As it stands, pi-hole does not provide an intuitive way to block DoH bypasses by itself.
The special domain _dns.resolver.arpa is used to upgrade clients to use DNS over HTTPS, and may provide a way around the pi-hole's blocking. With a pi-hole configured forwarder of 1.1.1.1, clients resolving _dns.resolver.arpa can be directed to instead use Cloudflare's DoH server directly. This is not limited to just Cloudflare.
This not only has privacy concerns for those running unbound, but also completely negates the pi-hole's blocking unless other measures are taken, such as a firewall rule with a hard-coded IP address list is implemented. I do not believe the average user would be aware of this bypass.
Thank you for the suggestion, it quite obviously seems a good idea. I had a look at the other discussion, too, dating back to the end of 2022 and think I missed parts of it back then. I seem to recall having only seen the discussion about a general blocking of all SVCB queries which seemed (and still seems) over the top. But your request is nonetheless a valid one IMO, see
for further details.
I'd be great if you could run
sudo pihole checkout ftl new/dns_resolver_arpa
and verify yourself that this is behaving as you expect it to.
I've bee running the "regex deny" for quite some time, without any noticeable impact. Be aware "whitelist always wins", so in order to enforce blocking for the specified query types, a whitelist entry (regex allow) needs to look like (example):
ctldl.windowsupdate.com;querytype=!ANY,SVCB,HTTPS
enforcing blocking also implies you cannot use "allow lists"...