Re: Windows Server
"DNS over TLS (DoT) that ISPs prefer because it gives them continued access to unencrypted DNS traffic." I am not sure that statement makes sense but perhaps....
My understanding of this issue comes largely from El Reg in its previous articles. From 23rd October 2018 comes
========================================
"Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. "DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH."
DoT is DNS over TLS, RFC 7858, a separate standard from DoH that works towards the same integrity and privacy aims. Which matters more, network or user?
While DoT achieves those aims, it's still subject to a level of interference that DoH resists: DoT has port 853 to itself, and can therefore be blocked, and a user's DoT request (but not the content of, or response to, that request) is visible from the network.
DoH, on the other hand, shares port 443 with other HTTPS traffic."
====================================
I think this means that both DoT and DoH traffic is encrypted but because the DoH traffic is merged in with all other HTTPS traffic on port 443, the DoH traffic cannot easily be identified as DNS traffic. It can under DoT although you can't see what is actually in it.
The real issue here is who runs the DNS servers. It seems that Google and Microsoft through their browsers are defaulting all DNS over HTTPS traffic to their own servers where it is decrypted and they can see everything. Do you trust them.
At the moment in the UK, my Plusnet router defaults to DNS servers chosen by them. I can (and have) easily chosen the OpenDNS alternative. I think this may become much more difficult in future as the DoH choice will be done by the browser. Trust Microsoft and Google to improve matters to their own advantage.