Re: El Reg, I love you
Don't allow direct connections to external networks—make everything go through a proxy server. Alternatively, configure your IPS to block traffic if anything tries to talk to an IP address that hasn't recently been returned in a response from your DNS server.
The only real change for malware is that it could potentially use legitimate third-party DoH services, but those can all be blacklisted; and if an actor can use their own DoH server's IP address to bypass DNS-based filtering, they can also open a connection to that IP address without using any sort of DNS.