Does the DNS Protection support DNS over TLS and DNS over HTTPS?

At the moment, DNS over TLS and DNS over HTTPS are not supported, although it is high up on our to-do list after the GA release.

Using NAT works OK as a way to capture 'classic' DNS traffic, as you can set up a rule that applies to all port 53 traffic. It may also work for DNS over TLS, as that protocol uses a dedicated port, but will not be great for DNS over HTTPS as it shares a port with regular DNS traffic. Keeping tabs on all potential destination IP addresses is more of a challenge.

At the moment, DNS over TLS and DNS over HTTPS are not supported, although it is high up on our to-do list after the GA release.

Using NAT works OK as a way to capture 'classic' DNS traffic, as you can set up a rule that applies to all port 53 traffic. It may also work for DNS over TLS, as that protocol uses a dedicated port, but will not be great for DNS over HTTPS as it shares a port with regular DNS traffic. Keeping tabs on all potential destination IP addresses is more of a challenge.

Yes, I was thinking that DNS over TLS would be straightforward. DNS, as you say, is trickier, though it'll be using port 443 and UDP (like QUIC) which might or might not be a useful clue. (Though I block QUIC as a matter of course.)

I'm pretty sure DNS over HTTPS uses regular TCP-based HTTPS, not UDP. There is a DNS over QUIC variant which is not yet widely supported.