If IPFire is already set up via firewall rule to force all DNS queries through its resolvers, is there any further benefit to enabling the DNS-over-HTTPS category?
Yes. Because DoH uses the HTTPS protocol ( port 443 ), the firewall redirects only ports 53 and 853.
A redirection of port 443 to the resolver would not make sense.
Yes, Bernhard is right, they are somewhat two different things.
Redirecting DNS is good practise so that you will always receive and therefore be able to filter to any DNS queries. Any clients that are using DoT or DoH directly will circumvent this as those protocols are designed for that.
So what I would do on my network is to enable the DoH category but only for GREEN (and BLUE if you are using that). That way, you can still use DoT to connect to your upstream providers, but your clients can’t connect to anything on the list.
That would be a clean design and it would be robust enough in most setups.