I found that CleanBrowsing’s Family filter is way ahead of the game than others when it comes to blocking DoH domains. However, it is still easy to just go to some DNS lookup site online and get the IP address of the domain and then use it as network.trr.bootstrapAddress. I think it might be very helpful if this project can maintain some type of IP blacklist which customers need to use on firewall settings to prevent use of any DoH IP forward. Btw, I already have firewall rules blocking port 53 and 853 forward to prevent normal DNS and DNS over TLS from LAN to WAN and force lookups only using my router’s dnsmasq. However, this DoH bootstrap evasion process seems to be the only thing I can’t prevent.