The reason why the ISPA did not like DoH is because UK law said they had to block/filter traffic. Per court order, a UK ISP would be obliged to block things, and if DNS was no longer an option, they would potentially start having to do IP blocking and BGP sink holing (PDF warning):

* https://www.icann.org/sites/default/files/packages/ids-2019/...

That law now seems to be dead, which may reduce their worries on the matter:

* https://arstechnica.com/tech-policy/2019/10/uk-government-ab...

While I'm sure the ISP techs may have had some misgivings about DoH (plenty of tech-mind folks like Paul Vixie do), the strong response from the ISPA may have been guided by the lawyers.

It seems to me that UK ISPs might have more luck trying to modify the behavior of the UK government than the behavior of American tech corporations.

Read the article. Unlike Mozilla's approach, Microsoft's DoH rollout is intentionally designed to not bypass DNS-based filtering. ISPA shouldn't have any problem with what Microsoft is doing.

Au contraire, if you've configured Windows to use e.g. Google's DNS then it will bypass deep-packet-inspection-based DNS filtering.

Except ISP will block 443/tcp for these widely known servers and if I got it right Windows will fallback to unencrypted DNS.

It sounds like in this early milestone they will NOT fallback to unencrypted DNS to do a sort of 'scream test'.

> We can start seeing the challenges in enforcing the line on preferring resolution failure to unencrypted fallback. In line with principle 4, this DoH use will be enforced so that a server confirmed by Windows to support DoH will not be consulted via classic DNS. If this preference for privacy over functionality causes any disruption in common web scenarios, we’ll find out early.

Until HTTP/3 gets popular, and then 443/udp becomes a things as well. :)

It should become IETF RFC in the first place (it still is a draft).

Can users not already bypass this by using another DNS provider?