Can you confirm the full technical method you were using to see DoH traffic? i.e. Destination IP/port/protocol
Suggested capture methods:
tcpdump -p --dont-verify-checksums -i any -NNnntt -B32768 -c2000 -s0 proto 6 and 'tcp[13] == 2' and not host ${Your_Router_IP} &
tcpdump -p --dont-verify-checksums -i any -NNnntt -B32768 -c4000 -s0 proto 17 and not host ${Your_Router_IP} and 'length <256' &
Don't paste the output, just suggestions for capturing HTTPS SYN and QUIC over UDP.
For what it's worth they have added a lot more outbound crap. Even using user.js [1] there is still a lot of leaky outbound noise. Loads of connections to fastly, cloudfront and others. It has gotten worse with time. I would probably also consider using a different browser but I can not give up the addons I use in Firefox. I will just blackhole route those CDN's and see what breaks.
Bender|4 months ago
Suggested capture methods:
Don't paste the output, just suggestions for capturing HTTPS SYN and QUIC over UDP.Bender|4 months ago
[1] - https://github.com/arkenfox/user.js