Non-surprisingly, DoH https traffic has some distinct properties that makes it identifiably without decryption, at least according to a very small scale test by the ISC: https://isc.sans.edu/forums/diary/Is+it+Possible+to+Identify+DNS+over+HTTPs+Without+Decrypting+TLS/25616/
Probably would need some kind of padding or such, in both directions.
@galaxis I'm pretty sure Chinese GFW has been able to detect them for a long time. Every time I try to set up a DoH proxy myself, right after I try to send a query for the first time, my IP will be blocked for ~30 minutes. Sending any other type of traffic, even VPN traffic, would not have such effect.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!