Thanks for your engagement on this. I did switch to configuration profiles as it is much faster to iterate on the settings. However, I continue to see the same behavior no matter what combinations I try.

Hello—I'm also encountering the "blocking encrypted DNS" privacy warning message on my network. In my case, I have not yet installed any encrypted DNS profiles or apps. I happen to control the network, and I have no intentional policies in place restricting outbound traffic . I do operate a local DNS forwarder that resolves certain company internal domains not resolvable on public DNS servers, but today we do not block any known canary domains to force use of the resolver. Is there any documentation on the algorithm being used to determine if encrypted DNS is blocked? Is there any caching such that, say, a one-off failed DNS query could cause a network to get flagged and remain flagged?