Sorry, what I was trying to say is: you know each app tries to use a certain DNS server. So, in your Rasp Pi, you route their DNS server to point your own (as you would with an /etc/hosts file), that way when DoH occurs, you control the final resolution.
What I'm suggesting isn't merely setting up the 'default' dns server. What I'm suggesting is 'cnaming' the name servers that apps attempt connecting to, to point elsewhere.
If you know the iP the DOH client uses you can intercept it. But you can’t spoof it without breaking TLS, which means deploying your own certificate
This general industry move will lead to more tls breaking proxies and more network interception. All because people don’t want to understand how a network and os work.
Making doh at the application later normal it moves the power towards the centralised advertising network and away from the individual. That the SV culture likes this is unsurprising.
What I'm suggesting isn't merely setting up the 'default' dns server. What I'm suggesting is 'cnaming' the name servers that apps attempt connecting to, to point elsewhere.