While I realize that my configuration is not traditional, I still believe this is an issue within a vanilla pi-hole (or possibly dnsmasq) install.
For context, I use dnsdist to load balance queries to my pi-holes, which then forward to Windows DNS, and then out to the internet. This has proven to be extraordinarily stable and effective.
dnsdist > pi-hole > Windows DNS > internet
The problem I've faced with this however, is that dnsdist does not pass the client's IP to pi-hole by default, it only shows ~10 IP addresses no matter the amount of clients. The solution is to enable ECS forwarding in dnsdist to pass the client's IP to pi-hole, and pi-hole handles this beautifully. I can now have my less tech-savvy coworkers troubleshoot DNS through pi-hole. Unfortunately, I've now had performance issues in pi-hole after enabling ECS forwarding, and up until now I could not track it down.
I primarily serve apple devices through DNS, and apple loves their HTTPS queries. So much so that it was the majority query type in my environment. However, after learning more about ECH-type queries and the ways that they can bypass pi-hole and firewall blocking, I decided to disable all of these queries from within dnsdist. This means the pi-hole will never see an HTTPS query.
To my surprise, pi-hole's performance skyrocketed. In other words, with the exact same environment and clients, pi-hole will slow down to a halt if those clients use HTTPS queries. Blocking HTTPS queries and falling back to A queries significantly improves performance by a factor of at least 3 for pi-hole.
They are seen from browsers such as firefox when browsing other legitimate sites too:
But, there has been more and more of this over time and it will continue to get worse as it serves as yet another mechanism helping advertisers and trackers to obfuscate where they are serving from.
For those not running another blocking server between pihole and their clients, these queries can be blocked by Pi-hole, but as seen from the screenshots above, some legitimate services may need whitelisting.
As per the link in your post, Cloudflare recommend blocking them (either NXDOMAIN or simply dropping them), likewise PaloAltoNetworks in the link in the post above) recommend blocking them.
I agree completely when it comes to blocking these queries, and I'm happy to do it.
My concern here is as the internet starts to use HTTPS queries more and more, the higher the load will be on these raspberry pi's, and this performance leak will be even more apparent. I use pi-hole in a VM, but these traditional IoT devices don't have much processing to go around.
This isn't even considering the blocking issues with ECH-type queries as you've mentioned in your reply. With both of these in consideration, maybe it's worth a discussion on implementing ECH blocks in pi-hole itself.
