If DoH is backed by e.g. Google, won't they just end up exposing DoH on the same IP addresses serving www.google.com? Similarly, what if e.g. CloudFlare expose their DoH on all their addresses? This seems like the obvious next step for them.

+1

And Cloudflare already does expose DoH on all addresses, as long as SNI/Host header is one of the vhost hostnames. You can currently make DoH requests to cloudflare-dns.com , the "mozilla" subdomain, one.one.one.one, 1.1.1.1, and 1.0.0.1 (there may be others that i'm not aware of ).

"Again, we are talking about a school network with young kids (under 12/13)"

As school network admin in another life I came to the conclusion that there is no limit to the ingenuity of pupils even at that age. And I'm just thinking that even big hitters like Netflix have problems properly filtering out VPN services and the likes. Anything-as-a-service makes it all the more accessible to anybody even for free.

Try to disable DOH if you can for now while you prepare something more permanent and resilient. Kids viewing pornographic material in school is a lawsuit waiting to happen I think.

Hopefully for BYOD parents will take a bit of the load off. At least tech savvy ones tend to make sure the device is properly "insulated". Plenty of lockdown options out there for this.

This would probably require new equipment (or just an update) but at that point, you could use an SNI whitelist, then drop port 443 traffic that isn't TLS. You could even drop the request when SNI is not present, in the case of encrypted SNI (if the network box has this feature).