1. 3

This example uses self-signed certificates, which need to be imported on clients. In addition, a doh-proxy (of your choice) is required.

Firefox about:config

network.trr.mode 2 # fallback to native resolver
network.trr.uri https://doh-proxy.url:port
network.trr.bootstrapAddress 10.10.10.10 # skip native resolver
  1.