After successfully registering a sid allocation, my DOH rules are now available, here, more info here.
The rules reject DNS requests for known (o)DoH domains, extracted from various lists.
A lot of DoH servers need to be contacted, using <domain>/dns-query, so to ensure some of the new domains, not appearing in any list yet, could be captured by a rule, rejecting URLs, ending with /dns-query appears to be a partial solution.
I tried various suggestions, found on duckduckgo, but I can’t get any of them to work.
Simplest example (doesn’t work):
alert tcp any any → any any (msg:"(o)DoH Query”; content:"/dns-query"; http_uri; rev:1; sid:1000002;)
any ideas on how to reject requests, ending with /dns-query?