To be honest, the way of using `use-application-dns.net` being blocked by **unauthenticated**, regular DNS servers is the worst idea one could come up with.
It makes it trivial to perform a downgrade attack on any network and makes a lot of the promises DoH by default provides useless.
There are good reasons why we don't allow downgrades on other protocols, so why suddenly on HTTP?
The answer is as always "we don't want to break [wrongly setup] things".