The pi-hole software turns the Raspberry Pi into a DNS server, so you can point your own DNS server (i.e. the raspberry pi) at the DNS provider of your choosing so that it can resolve uncached queries.
I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).
He is referring to the fact that apps will start ignoring local network DNS config and directly talk to their own hard coded DNS IPs.
I'm guessing the solution to that is to firewall various DNS IPs to force the app to use your local DNS. I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.
> I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.
DoH isn't really going to look like https, the requests and responses are going to be too small.
If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.
I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).