I updated my DoH solution for Linux, BSD and OSX to contain more features:
* to allow certain domains to be excempted from DoH lookups and
to be forwarded to internal DNS servers instead; in order to
support enterprise/VPN setups where certain internal
domains will not resolve via public DoH servers
* add 0-RTT support; unfortunately I did not find any
public DoH service that actually supports 0-RTT, despite some
companies annoucing it
If you want to use 0-RTT and experiment with it, you need to build it with OpenSSL 1.1.1 or later and you need to find a DoH server supporting it. Interestingly, Cloudflare DoH servers seem to keep TLS connections opened longer than in past. As 0-RTT only comes to play after the 1st connection by reusing TLS session tickets exchanged by the previous connection, 0-RTT will never come to play when everything works smoothly. Maybe they decided to disable 0-RTT in favor of longer lasting connections; I could not trigger 0-RTT via Cloudlfare DoH at least. If you have more infos on it, just let me know.
I also added DoH servers from switzerland to the default config, in order to distribute lookups and to avoid placing too much lookup data to the big companies.