Re: Windows Server
1. DNS controls disappear. Things like Cisco's umbrella become a bit pointless.
Incorrect.
If you are in a location that such a beast is being used, it means you are on some sort of controlled network, e.g. a corporate (work) network, or a university network, or similar environment, i.e., not using your home private network.
In this scenario, if the network admins (as directed by the organisations policies) are actually concerned about security, as opposed to just saying they care, then they will be using MITM proxies (e.g. Bluecoat proxies, F5s, etc.) for all network traffic anyway. Which means they can see the content of all HTTPS traffic anyway. Which means they can poke into the packet, see it's a DoH request, and do whatever they want with it, discard, reject with error messages, or redirect to their own internal DNS servers.
If you are on a network that doesn't deem installing MITM proxies in it as worthwhile for monitoring internal security (what the users of the network are doing), then it is not a network that takes internal security seriously, therefore it doesn't matter if they can't tell what is in the packet.
Since ISPs are 'passthrough' networks, that is, they have no rights to what's in the packets anyway, they are dumb pipes, it is irrelevant if they can't see what is in DoH requests.
Biting the hand that feeds IT
