DNS over HTTPS is normally accessed over domain name, i.e. cloudflare’s resolver is https://cloudflare-dns.com/dns-query. This presents a chicken before the egg problem, to know where your resolver is you must first resolve it, the current typical solution is to query the system / network provided resolver.
Alternatively you can access cloudflare dns at https://22.214.171.124/dns-query (or their IPv6 alternative), this solves the problem of how do you know where the resolver is because it’s an IP address so you do not have to use the traditional resolver for anything. The catch is you have to have a certificate for your IP address.
And yes, I mainly want a LE cert because it’s cool to have a publicly trusted cert on your IP address, also some people I know might use it since i’ll run it through pihole. I already have quite a collection of domain name and am running a resolver on one of them at
Regarding dnscrypt-proxy, I think you may be thinking of it’s DNScrypt mode (which i’m not familiar with), DoH and DoT uses the existing PKI infrastructure
@9peppe I updated my post with a bit more information, I didn’t see your other posts when I submitted mine.
Hopefully this will give some people a sense as to what is possible with this RFC, I have no doubt there are many other cool things you could do with this.