Prevent client auto DoH

[LearningAsIGo]

Hi, with regards the setting for Prevent client auto DoH, wanted to be sure I understand what the "Yes" option means. I see the release notes say:

Added option to prevent automatic DoH upgrade by Firefox. By default this option will only prevent automatic upgrade if you use DNSFilter or DNSPrivacy (DNS-over-TLS). You can change it to always prevent the upgrade. Note that this option has no impact if you manually decide to enable DoH in Firefox, only for its automatic option currently only available in the US.

Is this the correct interpretation of the available options:
-"Auto" to prevent browsers like Firefox to automatically use DoH. Need to use DNSFilter or DNSPrivacy for this to work. i.e. that's clear from the release note.
-"Yes": this is my question: does Yes prevent any device on the LAN doing DoH, so includes Auto but also any manually attempts?
-"No" allows manual or auto DoH on any device.

Thanks

 

[dave14305]

“Yes” doesn’t prevent DoH setup manually in Firefox. It just doesn’t depend on DNS Privacy or DNS Filter for the canary domain to be active.

 

[LearningAsIGo]

Ah OK thanks. That confuses me a bit. What would make a user prefer Yes over Auto or vice versa? I have DNSFilter on, set to Router and have a couple of LAN devices with Filter mode set to a custom DNS server (third party DNS). Would Auto and Yes behave the same way for all my devices in this setup?

 

[dave14305]

Your DNS Filter clients set to an external DNS server won’t benefit from the Prevent DoH setting since they do not use the router’s dnsmasq server.

Auto is a default way of saying, “if you as the network administrator of your network have shown an interest in controlling DNS by using DNS Filter or DNS Privacy, then we’ll assume you don’t want network clients to be able to bypass your protections passively.” Yes or No imply you’re making a conscious decision in either direction.

 

[LearningAsIGo]

Ah thanks I think I get this now. And with your points I think I see what the release note was describing now. So in summary:
-This whole setting is to address browsers (eg Firefox) auto using DoH. Nothing to do with manual usage (hence "auto" in the title of the setting).
-If set to "Yes"/"No", that's simple: do/don't prevent auto use of DoH, regardless of any other settings.
-If set to "Auto", then preventing the auto use of DoH is determined in conjunction with DNS Filter or DNS Privacy settings, in whatever way these are configured.

Is that correct?

 

[LearningAsIGo]

Great many thanks dave14305 for your help with this, very much appreciated.

 

[LearningAsIGo]

I should also add this is an excellent feature to have, my thanks goes to Merlin!