DNS over HTTPs - to block or not to block?

Hi,

one of my customers just asked me about the URL Category “DNS over https”.

Example URL from the help pages are:
“dns.google/dns-query”
cloudflare-dns.com/

Such requests should be created by the browser, if it is configured - and not by an user?

The customer and I had basically the idea:
“We have company DNS Server configured - so we can block this requests. Anyone who issues DNS over https querris does not adhere to the company standard”.

Is this idea correct?

And we are using Zscaler in explicit mode with PAC file. DNS is done by the proxy in that situation?
However I checked the customers logs with 14 hits and some of them hat “pac over ipsec” as traffic forwarding.
Why is that?

Thank you for your assistance. :smiley:

Best regards
Andreas