Which represents a reasonable number of side channels the bad guys have to choose from ( though obviously most of them will use Google or Cloudflare ). Until the commercial feeds and firewall providers start listing them as a category you probably want to add them to your DNS RPZ (or equivalent) to break the initial lookup of the DoH server. Obviously there’s nothing to stop applications/scripts using IP address rather than names at which point as ever it’s play whack-a-mole and block the IPs at the firewall if possible ( Google currently make this tricky ).
If you’re feeling lazy I’ve collated the DoH addresses from the above lists into a RPZ feed to provide an NXDomain response. Though obviously you should verify this and not trust me but like I say if you’re feeling lazy then the feed is “doh-no” via “ns.scramworks.net“. I’m using it myself so I’ll make fairly regular updates to it, serial is in normal YYYYMMDD## format.
Update Have added servers from the lists given here https://community.cleanbrowsing.org/topic/dns-over-https-doh-providers-not-classified-as-proxy-vpn-or-similar/.
If you know of any that I’m missing please let me know.
* I’m fairly sure that Mozilla claimed that DoH was meant to give users more choice and trust but what do I know.