That's the Firefox approach, yes: provide a list of trusted DoH servers and use that to avoid scummy ISP servers that might monitor, intercept, or mess with DNS records.
Chrome has a separate list of DNS servers that it knows can also do DoH. It doesn't change the DNS server, it just changes the mechanism in which the server is queried:
I believe their intent was to auto upgrade existing all DNS servers if they support DoH, but I'm not so sure anymore; perhaps some other product was doing that instead. In theory it shouldn't be too difficult: send a TLS request to dns.server:443, extract the hostname from the TLS handshake, and do a lookup through https://hostname/dns-query (with the IP address hardcoded for the socket to prevent redirect attacks).
Yes, it shouldn't be difficult, but if Chrome isn't doing it, my point is that that would put DNS servers not on that internal list, such as Pi-hole, at a disadvantage.
Chrome has a separate list of DNS servers that it knows can also do DoH. It doesn't change the DNS server, it just changes the mechanism in which the server is queried:
- https://blog.chromium.org/2020/05/a-safer-and-more-private-b...
- https://blog.chromium.org/2020/09/a-safer-and-more-private-b...
I believe their intent was to auto upgrade existing all DNS servers if they support DoH, but I'm not so sure anymore; perhaps some other product was doing that instead. In theory it shouldn't be too difficult: send a TLS request to dns.server:443, extract the hostname from the TLS handshake, and do a lookup through https://hostname/dns-query (with the IP address hardcoded for the socket to prevent redirect attacks).