> How exactly do you folks who avoid our DHCP's DNS expect us to comply with legal filtering requirements?

I would argue that this is more a problem with the legal requirements than with the equipment - the law(maker) has expectations you can’t reasonably fulfill.

Doesn’t make your situation any better of course, the law is the law even when it’s impossible

Oh, we can fulfill them. We'll resort to TLS inspection and force you to trust our CA on your device if you want to continue accessing our corporate network. And now we get to see (almost) everything again, like in the "good old days," not just your DNS queries.

Clear text DNS is the ultimate compromise, a gentleman's agreement if you want, that benefits everyone. We can see just enough to filter what we are required to by law on a best-effort basis, but we never see what you are actually doing thanks to the prevalence of TLS. DoH just broke that agreement.

It's a sad example of how a privacy solution like DoH will eventually result in less privacy, at least in some environments. And I'm not even considering how DoH will be the excuse for totalitarian regimes to up their surveillance antics.

Yeah. The pre-DoH world was good for both. I could say its all filtered for the kids on the locked down machines and the adults who knew something about technology could get on with their lives. Now, we are entering a world where we are going to end up locking down everyone. Good job.

I'm damn sure once I have to do the trusted CA path that someone is going to sell a deep packet inspection solution and present it at some conference where someone in charge will hear about it and then it will be off to the races.

Its not a law problem. Its an expectation that technology isn't as random or stupid that it cannot keep a headstart kid from going to PornHub because some tech folks don't trust their ISP.

I think the classic "the network treats censorship as damage and routes around it" applies here.

Designing a device to connect to something over the internet even if the network it's connected to behaves strangely isn't random or stupid; it's just in conflict with your goals. Incidentally, last time I ran into a network with legally mandated filtering, I checked whether a google image search for "tits" worked. It did.

"behaves strangely isn't random or stupid"

Nope, it behaves fine. The owner of the network is serving under age kids. Push too far and its white lists only and block all other IP and I'm sure we'll get deep packet inspection forced on us. Some folks have serious problems with Google Images Search, but you can actually deal with that.

I would also say anyone hard coding DNS into a device is just absolutely unprofessional. Its basically a red flag that any filtering the owner of the network doesn't matter to them.

From the perspective of the device maker, a network causing a DNS lookup to return something other than an accurate result is behaving strangely. That may keep a device from working, so the device maker guards against it. A quick scroll through this thread reveals good reasons for device makers to do this, mostly ISPs behaving badly.

I'm generally inclined to think an "always use this manually-configured DNS" option is desirable in that situation. Of course, many devices may have a financial incentive (ads) to actively resist the network owner's attempts at filtering.

Filtering is inherently adversarial, and I expect a reasonably sophisticated user on your network could find a way to access some proscribed content. I also expect the users of concern on your network are under five years old and that most of them lack advanced knowledge of networking. Is there an established standard for what qualifies as a reliable-enough filter?

What kind of legal requirements are these, which country?