I read this article and found an alarming statement in update 2.
We’ll use the default resolver, as we do now, but we’ll also send the request to Cloudflare’s DoH resolver. Then we’ll compare the two to make sure that everything is working as we expect.
Additional question: Any good ideas for a defence against this undesired behavior? The method, described in the original document, section update 1 (changing ‘network.trr.mode=5’, using ‘about:config’) requires configuration on the individual workstations, not my favorite solution…