FYI - I found two ways to do an “allowlist” for DoH (your favorite DoH server in a list that you cannot live without).
The first is 'hacky" and adds a semicolon before the domain name. It changes this:
doh.dns.apple.com CNAME .
to this:
;doh.dns.apple.com CNAME .
and that allows the DoH server to work as usual.
And the second creates an allowlist with a similar format to this:
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH.rpz
My test allowlist is only two domains long.
I still need to finish scripting the second one.
Is this (either of the above) helpful to anyone?