Given here are the limitations for DNS-over-HTTPS of Cisco Security for Chromebook client.

Internal DomainsChromeOS does not allow configuration of customers' internal domains, which affects configurations involving split domains or split brain DNS configurations. However, if DNS-over-HTTPS (DoH) cannot resolve internal domains, ChromeOS does a local resolution as a backup. To address this situation, you can use the "DNS-over-HTTPS with insecure fallback" configuration in Google Workspace. For detailed steps, see Enabling DNS-over-HTTPS with Insecure Fallback guide.
Virtual ApplianceVirtual Appliance (VA) detection and backoff is not supported by the DNS-over-HTTPS based solution because of ChromeOS limitations. However, customers should not face any issues with DNS resolutions in Chromebooks because of this limitation.
Email addresses containing upper case lettersCustomers, whose email addresses contain upper case letters, will face an issue during migration to the new client. Chrome OS converts all the letters of the email address to lower case when creating the DoH URL. This discrepancy in addresses leads to a hash mismatch, causing user traffic to be dropped by the Umbrella Policy engine.
Cisco recommends that customers with email addresses containing uppercase letters, wait for the issue to be resolved before migrating to the new client.
For more information, click here.

Prerequisites > Limitations > Google Workspace Identity Service