I replied sub-thread, but adding here to give some more visibility to some of the issues DoH is causing and will cause:
I work at a k12 school and I am involved on many k12 IT communities.
Some schools already removed Firefox from the students computers because it was being used as a "VPN" by some elementary students to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
There is a fine line between protecting yourself from your ISP and local network operators that NEED to apply some security policies to their traffic. Even Google offers "Safe Search" for schools and libraries that removes porn content.
Unfortunately, on our school network, we also allow BYOD (students with their own laptops and ipads), so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
The only other option is going to full HTTPS MITM, forcing a root SSL cert to all computers that use our network, which is the last thing that anyone wants to do.
Summary: This may lead to more HTTPS MITM or schools forbidding BYOD AND removing Firefox from their computers.
Don't worry. Soon Chrome will also implement DoH and ESNI, then you actually have to either forbid BYOD or actually start teaching students manners, how browsing porn is not okay in school context. I'm really quite annoyed by the connotation that kids should rather be helicopter-parented (by tech or by people) than actually taught what's okay and what's not.
The very least the new tech provides is that any silent helicopter parenting is becoming more visible and I'm grateful for that. Kids deserve internet privacy just as much as real-life privacy.
> Soon Chrome will also implement DoH and ESNI, then you actually have to either forbid BYOD or actually start teaching students manners...
If you think that this is how it will go, you're very naive. If schools and parents can't block porn anymore, prepare for more legislation that blocks porn by default at the ISP unless you pay some kind of fee - like what the UK has proposed. Also look for a return of "content standards" for sites that want to be kept off the "porn list", like the old broadcast TV content standards.
Thankfully I don't live in the USA where asinine things like that would work. Pretty sure there isn't a single school here try and enforce a web filter other than "Let's agree not to visit pages that are not allowed [OK]". I'm hope I'm not naive, maybe just not super-accustomed to the "tHinK oF tHE ChiLDRen"-narrative for pushing filters (or other things) trough.
> prepare for more legislation that blocks porn by default at the ISP
See you're missing something. If you as the local network operator can't block porn than neither can any intermediate ISP. It's not like they have any more power than you do.
I definitely don't want my six year old to be able to use their school-provided, Internet-connected iPad any way they please, with plenty of privacy.
And yeah the actual solution is "don't fucking give a six year old an Internet-connected device of any sort, obviously, you idiots" but they do, so monitoring and blocking are absolutely necessary.
The original commenter talked about BYOD though, maybe school-given devices are set-up so that they don't let kids do whatever they want.
In the case of BYOD, if you're not okay with your kid having an Internet-connected device and that they're going to use it responsibly then don't give him/her one or only allow it under parental supervision. If we're carefully watching and teaching kids kids when they're handling knives or matches, why not do so with internet connected devices?
If your child is supervised on the internet and doesn't have a tablet, and mine isn't and does, and my child showed your child stuff you disapproved of while in school, would you complain to the school?
Some parents complain about sex ed and vaccination, satisfying the lowest common denominator doesn't really work.
If some kid showed actually NSF-School images, such as nudity, to other kids and it was a first time offense a warning should suffice. If it's a repeated offense then maybe the kid needs psychological help.
Just as a hypothetical scenario, there's the possibility that a kid shows others a picture of for example Michelangelo's David (or similar art piece), do you think that kid should be punished for showing nudity to other kids?
What would removing Firefox accomplish? Why would students not just download one of the bazillion Chrome VPN addons? Or regular VPNs that they can just turn on and off? How is _removing Firefox_ a solution?
What these schools need is to set up sensible group policies. Managing BYOD on a school with kids (as opposed to grown-up people whose jobs are on the line) is simply impossible.
I think the poster was talking about two separate schools. One which doesn't allow BYOD and tackled the problem by removing Firefox, and a second where the poster works at which does allow BYOD and therefore removing Firefox is not an option.
To add to this issue from a personal level: for those who use a Pihole or operate other internal services from within their own home network will now have to change the settings for _every application_ using DoH on that network.
This could become a major hassle if the number of devices and owners become large. There's not even a work around for this because I do not directly manage family members' devices (nor would they want me to).
I really like Firefox for they are the only real option these days. I use it and I encourage all those around me to use it. This change will require me to do a lot more manual work and likely lead to confusion over whether a service is down or not.
How far off are we from DoH being supported by common operating systems, DHCP, etc?
It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Honestly, all these apps shouldn't even bother detecting for DoH or not. If people want to use DoH they can set up their own local resolver and configure their network for it (and for folks on Windows, that could even be packaged third-party).
The reason browsers are interested in including DoH is to protect users who don't even know this is a problem, and definitely aren't going to set up their own resolver.
> How far off are we from DoH being supported by common operating systems, DHCP, etc?
To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Yeah. Good luck diagnosing that when something stops working as expected.
> To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
Huh? Of course people do this, it's a standard way to do DNS that improves over older DNS wire protocols by offering better security properties. It's unfortunate that we had to involve HTTP in this, but needs must.
For example you can drop in an NSS replacement that uses DoH instead of conventional DNS for all your glibc software, or you can get software from a variety of sources that runs on UDP port 53 of your local machine like a normal DNS relay but uses DoH to someone trustworthy to deliver.
> DNS should be a system-level setting, not an App-level setting.
I would go even further: Any app trying to bypass the system-level network settings (like with DoH) should be considered malicious and possibly malware.
This is what spam-bots used to do back in the days. Now let’s add Firefox to the list.
Having a pihole still doesn't prevent applications from using another resolver - for example dig example.com @8.8.8.8
You'd also need to block all other DNS traffic. And even after that, it's tricky, as applications that are not a browser might be doing this with a hardcoded DoH provider.
There’s a way to redirect any port 53 traffic back to your pihole if you have enough control over the gateway, but I don’t know if it’s worth doing. Breaks a bunch of things you’d normally do to debug whatever.
Been doing this a few years, after seeing lots of apps and devices using 8.8.8.8 despite being given my resolver back via DHCP (so obviously hard-coded into them and they’re ignoring os dns.)
No practical drawbacks so far, although I have found many “open resolvers” online from my home, only to realize it’s the redirection messing things up.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
In which case these applications are either broken or malware.
The application needs to fix that by using DNS supplied by the OS, as everyone should do.
> Unfortunately, on our school network, we also allow BYOD (students with their own laptops and ipads), so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
How can you block DoH without doing MITM on all outgoing HTTPS? For that matter, how can you block HTTPS based VPNs like OpenVPN?
ETA: I understand you can block IP addresses of DNS resolvers that support DoH. I assumed that to make this work, Mozilla / Google / etc. would serve DoH from the same IPs as some big services, so you wouldn't be able to block DoH without blocking something like Google's homepage.
>How can you block DoH without doing MITM on all outgoing HTTPS? For that matter, how can you block HTTPS based VPNs like OpenVPN?
OpenVPN isn't HTTPS based. It has TLS support, but AFAIK it's implemented as TLS-over-OpenVPN rather than OpenVPN-over-TLS, so it's still very distiquishable from a HTTPS connection. There are workarounds like using TCP mode over stunnel, though.
IP-based and domain-based. We have a long list of domains/IPs used by VPN providers.
Won't prevent someone from setting up its own SSH-based proxy on port 443, but covers things that are accessible and easy to use by young students (talking about elementary school on our case).
Again, we are talking about a school network with young kids (under 12/13).
If DoH is backed by e.g. Google, won't they just end up exposing DoH on the same IP addresses serving www.google.com? Similarly, what if e.g. CloudFlare expose their DoH on all their addresses? This seems like the obvious next step for them.
And Cloudflare already does expose DoH on all addresses, as long as SNI/Host header is one of the vhost hostnames. You can currently make DoH requests to cloudflare-dns.com , the "mozilla" subdomain, one.one.one.one, 1.1.1.1, and 1.0.0.1 (there may be others that i'm not aware of ).
"Again, we are talking about a school network with young kids (under 12/13)"
As school network admin in another life I came to the conclusion that there is no limit to the ingenuity of pupils even at that age. And I'm just thinking that even big hitters like Netflix have problems properly filtering out VPN services and the likes. Anything-as-a-service makes it all the more accessible to anybody even for free.
Try to disable DOH if you can for now while you prepare something more permanent and resilient. Kids viewing pornographic material in school is a lawsuit waiting to happen I think.
Hopefully for BYOD parents will take a bit of the load off. At least tech savvy ones tend to make sure the device is properly "insulated". Plenty of lockdown options out there for this.
This would probably require new equipment (or just an update) but at that point, you could use an SNI whitelist, then drop port 443 traffic that isn't TLS. You could even drop the request when SNI is not present, in the case of encrypted SNI (if the network box has this feature).
Sounds like the bigger problem is that your porn filters can be circumvented with a DNS change. If you're banning DoH, you also need to ban custom hosts files.
DoH is different because it masquerades as HTTPS traffic. You can block DNS traffic sent to servers configured in custom hosts files, but you can't block DoH unless you either have a list of every DoH server in existance, or block all HTTPS traffic.
That's kind of the entire point of DoH. DNS-over-TLS (DoT) provides TLS encryption for DNS traffic, but runs over port 853 so network operators can control where queries go.
> You can block DNS traffic sent to servers configured in custom hosts files
You're thinking of configuring a custom DNS server, which is not related to the hosts file. The hosts file replaces DNS so there would be no network traffic to block.
Theoretically a kid who really wants his porn could manually add the name-to-IP entries for his favorite sites to his local hosts file, completely bypassing any DNS based filtering you might have on the network.
If you want to prevent anything like this you either have strong (centralized) controls on the client side - policies hardening the client to the point where no reasonable exploitation avenue is left (no hosts file, no running portable browser, no changing settings, etc.), or strong controls on the network - proxy and make sure no matter what the client wants it goes only where it's allowed (no VPN, no DNS filter bypass, etc.).
Maybe the occasional brilliant kids will find a way, good for them. But there's a limit to how much "ghetto administration" you can do without expending any resources on it and still have your measures hold after a few weeks of curious students probing at them.
Of course you can lock stuff via enterprise settings so that about:config entries can't be modified by local users, but that takes time to find out and test, while removing the weird non-Chrome browser that's still present mostly for inertia reasons but nowadays only gets used for evil porn is much easier.
Saving time by applying a non-solution 9like removing one browser instead of treating the root cause) is not actually saving anything. You just kick the problem further down the road. Firefox prefs are documented even if not in the most user friendly way [0][1][2][3]. For the most part performing some basic hardening and other useful config on the browser takes less than a day. A person with some IT background shouldn't have too much problems doing it and it's more or less a one time thing.
no, using the nuclear option of removing the browser outright when others work is the smart, efficient option that someone who actually works in IT with limited resources would (and should) use.
this stuff about finding all the right config files during "basic hardening" and having it just work is the stuff of armchair commenters and people who do IT/security on a well funded, sufficiently redundant team. assuming the latter would be the people in charge of school IT is hopelessly naive.
So tell me then, what exactly are you achieving with removing Firefox when the same bypass can easily be achieved with Chrome? Remove Chrome also? Call the well funded security team to configure whatever browser you’ll eventually have to use?
The problem with half assed work is that you still put in some effort but reap none of the rewards. You work to uninstall Firefox from dozens of computers but get exactly 0 results because now you’ll have to configure Chrome. Default installations of both browsers are perfect for home use but woefully inadequate for controlled networks.
And in the end you put in just about as much effort as changing some flags in any one of the dozens of example config files available on the internet and copying it on every machine.
the DNS filtering works on chrome. yes, people can bypass it, but it doesn't even work on firefox, so they remove firefox. this isn't rocket science, and you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is. this leads me to believe that you are hypothesizing about work you don't do, but feel perfectly qualified to talk about "half assing" things.
> you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is
Perhaps because he's describing 2 different situations. One where "some schools" are removing Firefox, and one where it's not an option for him because of BYOD. Uninstalling Firefox is exactly the solution he can't apply. So I still maintain that the other schools that fully control the clients could have applied a proper fix faster and cheaper than any uninstall. It's one line in a config file [0], already linked above.
All your replies are gratuitously aggressive and insulting. That's not a good way to contradict my solution that works, is simpler and more future proof than uninstalling browsers with DOH.
Eventually all browsers will have DOH, you can't uninstall them all. And leaving a browser unmanaged and at the mercy of a student is not an option since requiring 2 extra clicks to bypass the filtering isn't a solution. You need some form of management either way.
I already gave you a solution that's better than removing the browser and "cheaper" than having to manage Chrome with GPOs (not a high bar). Insults won't change that.
this is getting really boring and repetitive, but you didn't give a "cheaper" solution, you gave an administratively more expensive solution (change files on machines rather than bulk remove an app which is out of the box functionality for many products IT like this would use), along with moving the goal posts; the goal is "keep my DNS filtering working," not "make sure no one ever gets to the porn site."
of course, you would need to do more in chrome (and windows/osx/ubuntu generally) to stop traffic to a site if a student knows what they're doing. that's not the point. the point is: we have this control in place. we've agreed it's working well enough. people can bypass the control simply by using firefox. to avoid adding overhead, we ditch firefox (for now). it's that simple.
as for future-proofing, that's a luxury. ...and part of why it's a luxury is that some goals ("make all traffic to any porn sites impossible on our school network") just aren't going to be met by budget IT.
re: BYOD, for that i go over to the armchair tech purist side i'm afraid, and just say "well, you allow that, so you need to get over that they can use VPNs and stuff. you're not DOJ or some wealthy corporation with important IP assets and equally 'important' VIP execs that insist on bringing their OSX 10.6 MBP to work. you don't get to have all the cool controls that might allow BYOD. sorry."
You didn't understand OP's comment and realized only after I pointed out that HE is the one with the BYOD problem where uninstall can't fix anything. I'm not the one moving the goalposts. His only option is applied outside of the client, at network level. As for the other schools, the effort they put in today bought them a week or two at most. More than enough time for the students to have "workarounds" in place and access anything they want since as you said the admin has no resources to control what's happening on the machine. But you know, it's unwise to pay too much, but it's worse to pay too little; buy cheap, buy twice; poor man pays twice.
They were better off uninstalling Chrome. Firefox at least can be controlled with a config file and a script to do bulk copy, Chrome wants GPOs and without lockdown you have a ton of extensions in the store to make your DNS filtering redundant. I believe the latter is the better option but if a config file is beyond the possibilities of the school admin I expect their browsers to be fully unmanaged and at the mercy of the user. It can't be both ways.
I appreciate that you finally confirm what I said from the beginning: It is a half assed job (because doing it properly "is a luxury"). Uninstalling just kicks the problem down the road and lets "future you" deal with it a few days or weeks later.
> an app which is out of the box functionality
Begs the question why put in effort to install then uninstall it when there was no need for either. I'm not in their head but one thing's for sure, your explanation relies on conflicting argumentation. We're talking about a hypothetical Schrödinger's admin that at the same time both has and hasn't got the resources to do the work.
firefox messes up their DNS filtering, chrome doesn't. so they remove firefox and enforce chrome. if you see that as a slippery slope, you're imagining it. they probably 1) have a decent app like ninite to remove and install apps, 2) don't have anything but their production environment, 3) don't have a homogenous environment in terms of patching (maybe they do), 4) don't have people to go around and make sure the config changes they push (however they would push them) took, worked, etc. so they block the app. maybe eventually they reinstall it. welcome to IT.
...which reinforces my point about how people actually doing this and people speculating about it tend to respond to issues like this.
> firefox messes up their DNS filtering, chrome doesn't
I take it you assume students are not creative enough to get the exact same result with Chrome? Because it is perfectly possible to do it. Unless of course you take steps to prevent that in Chrome. One way or another you either put in the work or the users will end up doing whatever they please. After configuring the OS doing the same for the browser is a relatively small step.
of course it's possible to do so. but DNS filtering works for most users, and is much easier to centrally manage on a budget (in terms of time / people / money) than browser settings.
i'm belaboring this point now, but people who actually do this stuff know that you can't just throw up a GPO to fiddle with chrome settings and expect everything to work. this culture of "power users" thinking they know the best course of action for every situation in IT (and it's always "that thing i Put In The Work to do when i was tailoring my own system") is really silly.
> know that you can't just throw up a GPO to fiddle with chrome settings
I thought we were talking about how hard it is to fix Firefox. This can be done on a budget - part of an afternoon - since it can be very easily managed with a plain old config file copied to all machines (at least until a couple of versions ago). With this gone you're left with Chrome. How would you make sure no user can use any one of the multiple options to abuse a non-managed Chrome and bypass this? Remember that your target isn't to have a browser that doesn't mess up filtering, it's to prevent students from using any (creative) means to access restricted material. And with Chrome there's one sure way to prevent those creative means. So don't answer, it will be GPOs.
And since your fix for DOH and DNS filtering is to uninstall the browser (!) when Chrome eventually implements it will make for an interesting conversation ;).
as i replied in the comment below, the goal isn't "absolute porn free paradise," it's "keep our current control working." sound shortsighted to you? it is. it's also the easiest thing, and frees everyone up to do other, more important work than impressing people who are aghast that an organization would uninstall 1 of 2 browsers b/c it bypasses some control of theirs.
as for once chrome implements DOH, they'd cross that bridge when they came to it. it's an uphill battle, because really content filtering, of course, should not be done through browser settings (remotely managed or otherwise), nor solely through DNS. if whoever tells IT what to do in that school district is hellbent on it being impossible to browse to pornhub, they'll ultimately need a layer 7 firewall. but again, when you're on the budget, you do fastest / cheapest / most effective.
(and if we return to pure hypothetical, i would argue that dns filtering really is the best way in their case, because anyone who could bypass that--besides just using firefox--will be able to bypass better chrome config, or your firefox config change, etc, since they can just edit host file, etc etc etc)
I don't think there is a good solution. Yes, you own the network and think you should be technologically able to block access to certain websites (which the school has the right to do), but ISPs also "own" the network and would also be able to block access to certain websites if it were possible with DoH+eSNI.
I guess a solution is MDM, but that's still getting students to install something on their device.
Or you can have the local interface and the cellular interface up at the same time, have the default route through the local interface but have a route to your preferred DNS server through cellular. Then the only traffic you have to pay for over cellular is DNS, which is very small.
Kids are clever, if one of their classmates is known to be tech-literate and (s)he's saying the school is snooping on you the amount of shadow IT will rise. Vast majority will install, but also have some other device to bypass.
I was referring to the machines they were preventing the installation of Firefox on.
For BYOD, I don't know what you're gonna do. Many students have smartphones too (some with tethering), and you can't control what they look at on those either. Plus, even if the school could somehow magically lock everything down 100% within the confines of the school building, the students can still get access to whatever at home, or using coffeeshop WiFi, or whatever.
The point is not stopping them downloading this stuff.
The point is stopping them downloading this stuff using schools property or infrastructure. If they download it elsewhere, it is someone others problem then. If someone complains, its someone elses' fault, and the school can fingerpoint.
If they just bring it to the school, they can be disciplined, but no other steps need to be taken.
You can use special paint on the buildings that blocks RF. There are also cell phone jammers. They require a license and approval from the FCC and have legal implications / risks.
This use case wouldn't get approved. It's very hard getting an exception and this doesn't come close to meriting it.
Preventing cell phone calls could have dire consequences in an emergency, and stopping kids from looking at porn doesn't remotely merit taking that risk.
Blocking RF is illegal if it's done with the intent you describe. It's fine if your building gets terrible or no reception but if you purposely design it that way you're not protected.
There are a number of organizations and businesses that block RF. Their legal team review the local statutes and the employees sign acceptance in the AUP onboarding documentation.
To your point, there are certainly countries and jurisdictions that do not permit blocking RF or have strict exceptions.
In the US, local statutes and AUPs don't enter into it. This is federal law. You're right, there have been a number of organizations that have done this -- and enough of them have been fined for it that the number is much smaller than it used to be.
> I replied sub-thread, but adding here to give some more visibility
> to some of the issues DoH is causing and will cause:
>
> I work at a k12 school and I am involved on many k12 IT communities.
>
> Some schools already removed Firefox from the students computers
> because it was being used as a "VPN" by some elementary students
> to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
Firefox now has enterprise support where the administrator can force all desktops to use certain Firefox settings including enabling/disabling/configuring DoH.
Ultimately we cannot secure content without being able to look at it (encryption is the problem). We need to be able to look at what the kids are looking at if we want to control what information gets to them.
Palo Alto firewalls do decryption on the fly should you want to look at this. It can all be logged with short or long logging.
Worked in your arena for 5 years. Kids are creative and crafty. We had kids getting around the MDM/DNS blocks by changing the DNS/Proxy settings in their iPads. This is not easily overcome with existing MDM solutions AND letting the iPad be usable. BYoD is a whole different animal since you cannot legally "touch" their devices, you have to implement the federally-mandated blocks at the infrastructure level. Kids can use VPNs all day and there is nothing that can be done in reality.
At a previous job, believe it or not, I worked with a client with almost a zero budget who was having massive issues with malware/ads in their public space that offered free computer use. Being the budget was minimal (less and $100 to fix), I deployed two Pi-holes and taught the "admin" how to manage it. Cheap, effective, works. I set the whole thing up to fail back to the network's DNS should the Pi-holes fail. Still running almost two years later.
The Pi-hole can block about any content you would like it to block with almost zero-configuration. Easy to block a single domain or with a new rule set subscription.
Band-aid solution that worked pretty well. Very cheap to implement, widely supported and used by many schools.
Our student's data was still private (no emails or passwords being decrypted) and we did the filtering only based on the domain name. It also didn't require an expensive appliance that would be need if did the filtering based on SNI.
A student who really wants to see "the bad" on the internet isn't scared off by blocking some DNS/VPN/proxy traffic. This is wishful thinking.
The easiest work-around for students who want to show their mates some "cool porn" is to just save it at home. Or connect to the free wifi of <random shop> in reach.
When you allow BYOD you give up the ability to control the client, and you allow the mess of kids bringing their family computers to school, as well as this difference where other kids bring their own much-better computer.
There are plenty of ways to lockdown the ability to change DNS settings on your enterprise computers (you can also lockdown Firefox with the right deployment) and you can block port 53 traffic to outside your network, but you can't block DNS -> HTTPS w/o the interventions cited above.
So, it is bad that Firefox was removed? Are you saying that you think that Firefox needs to be crippled enough that school districts feel comfortable using it?
The fact that it is enabling students (or anyone) to bypass restrictions is a good thing.
Why don't you try looking at this from another point of view. Firefox is a powerful important tool, and I want it to continue to be so, even if it is not ideal for everyone.
Curious, how does your school solve this with students' phones? Have y'all considered requiring mandatory monitoring apps? Or cell phone data jammers and requiring them use y'all's wifi and require a CA cert install?
Reading these comments I'm more and more disgusted really, how is it okay (to even suggest) that personal devices of kids are so invasively monitored?
They deserve their internet privacy just as much as grown ups do even more so actually given their higher trust in others, if schools are scared of internet's dangers then schools should educate, not wrap kids into digital bubble wrap that will disappear when they leave school leaving them tech-illiterate and vulnerable.
It's entirely within the intentions of browser vendors to make blocking of content without consent of a user hard or even impossible.
If the school cannot be bothered to block content properly (ie, only via DNS block) then that is their own fault. The tools exist to block on an IP level.
For all computers the school owns, they SHOULD definitely do HTTPS MitM.
IP level is too coarse grained to block sites hosted on Cloudflare etc which host sites you also wish to allow access to.
SNI filtering is a reasonable middle ground - it has its flaws but nowhere near invasive as full MITM filtering yet achieves most of the filtering objectives of the organisation. Ie it is “good enough”. Sadly ESNI may be the end of usefulness of this approach.
I consider DoH too dangerous to allow on my own network, so here's what I did: if you want to use HTTPS from my network, you need to install my root cert. I then proxy all HTTPS traffic to detect and drop DoH exchanges.
I expect that we'll see this sort of thing more and more.
I’d consider you installing a root onto my device far more dangerous than DoH, because how do I know you’re only dropping DoH, and not actively logging everything? I have to assume you are evil.
As a consequence I would not use your network. This may also be considered success from your point-of-view.
That's totally fair. My network, my rules. You are not required to use my network.
However, I'm not completely heartless. I also run an open WiFi AP that, although limited, is available for guests who aren't comfortable with my security measures. You can't reach the rest of my network through it, but it's there and will get you internet access.
This is perhaps a stupid question without context, but doesn't every kid of the age where this kind of things is an issue carry their own smartphone nowadays? With mobile Internet?
I work at a k12 school and I am involved on many k12 IT communities.
Some schools already removed Firefox from the students computers because it was being used as a "VPN" by some elementary students to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
There is a fine line between protecting yourself from your ISP and local network operators that NEED to apply some security policies to their traffic. Even Google offers "Safe Search" for schools and libraries that removes porn content.
Unfortunately, on our school network, we also allow BYOD (students with their own laptops and ipads), so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
The only other option is going to full HTTPS MITM, forcing a root SSL cert to all computers that use our network, which is the last thing that anyone wants to do.
Summary: This may lead to more HTTPS MITM or schools forbidding BYOD AND removing Firefox from their computers.