Re: not going to work
I must admit I haven't (yet) delved too deeply into DoT/DoH, but my tactics so far are based upon:
"Because DoH can be used to bypass Umbrella, Umbrella includes known DoH servers in the “Proxy / Anonymizer” content category. This mechanism is effective, but has limitations:
It cannot block brand new DoH providers that are unknown to us
It cannot block DoH which is used via IP address
For the first issue, we do our best to watch new DoH providers, and customers can further improve coverage by also blocking Newly Seen Domains.
For the latter limitation, there are limited scenarios where DoH is accessed directly by IP address. Firefox with Cloudflare is the most well-known example."
The latter point could potentially be an issue, but I don't know how many providers currently operate this way. My assumption (which could be incorrect) is there will be a standard DNS request to look up the hostname associated with the DoH provider (which can be blocked). If that lookup were to succeed (or a connection be made by IP) then clearly DPI would be the only means to prevent that.