Hello,
Currently im studying the effects on DoH and regular dns hijacking and found some interesting foundings.
On chromium browsers dns hijacking fails, this is because the default settings use DoH, if you follow system dns settings mode like in brave it works, but they are still use hardcoded dns entries.
so if my windows uses 8.8.8.8 with doh and dot unchecked, the browser still uses DoH, very deceptive i would say 
, now i did not touched secure dns which is on by default, but on my android device this is not present and default enabled.
At the same time it made me confused why dns hijacking did no longer work, it is being used as a evasion tool.
When i used banip, or manual block 8.8.8.8 on port 443 it sometimes uses DoT, but DoT is easily blocked by port 853, then it falls back to 53.
So my conclusion:
If i want to be really sure my resolver of the router is used, i must use block lists for DoH and block DoT.
Now the hijacking works, my nextdns instance grew from 3% detection to 22% and my country overview also gave me the real map.
Though ban lists aren't fully nice, i figured if i want to allow nextdns via doh, that sometimes nextdns also unbans cloudflares doh, since nextdns uses the ddos protection from cloudflare.
So my request is as follows:
Please add a DoH/DoT blocklist to the dns hijacking settings, these options can become visible when the checkbox is enabled.
though there are some reasons to not do:
- the dns fallback option might be not always existing
- it get complicated when allowing one DoH service, and that DoH service depends on others (a easy loophole gets created where other blocked doh resolvers still are unblocked).
Sorry to be a bit technical, but i would like to see this as a enhancement for the current dns hijacking option 
, but you are correct likely dns hijacking will not exist in the future although i hope that never happens and they support fallback for legacy reasons.