Windows not Respecting DNS-over-HTTPS Templates

What appears to be happening is Microsoft have enabled "Discovery of Designated Resolvers" (DDR) by default for everyone now.

Therefore, if the DNS-over-HTTPS mode in Windows settings is set to "On (automatic template)" – and not "On (manual template)" – DDR will take priority over the Windows list of known DoH DNS servers.

As DDR has priority, adding the Cloudflare malware blocking DNS resolvers to the Windows list of known DoH DNS servers (using the Add-DnsClientDohServerAddress Powershell Cmdlet) won't have any affect, as Windows ignores it and uses DDR instead.

In order for Windows to use a template instead of DDR, the Windows setting needs to be set using "On (manual template)" and entered manually. Alternatively, if "Require DoH" is set via Group Policy, this forces Windows to use the Windows list of known DoH DNS servers, but I think this is more of a side affect.

The reason why the DoH DNS resolver URL is incorrect when received through DDR, appears to be because Quad9 and Cloudflare have only configured "Discovery of Designated Resolvers" (DDR) for their main DNS service, not their additional DNS services. Therefore, if you use 1.1.1.2 instead of 1.1.1.1 (Cloudflare) or 9.9.9.10 instead of 9.9.9.9 (Quad9), the SVCB records return the incorrect host names.

https://community.cloudflare.com/t/dns-for-families-compatibility-with-discovery-of-designated-resolvers-ddr/644884

Unfortunately, it's not possible to query SVCB records using Windows command line tools such as PowerShell (I.E. https://learn.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname?view=windowsserver2022-ps#-type), you need to use Linux or MacOS terminals to test.