The following are the limitations of DNS-over-HTTPS in the context of Cisco Security for Chromebook client.

Internal domainsChromeOS does not allow the configuration of customers' internal domains, which in turn, affects configurations involving split domains or split-brain DNS configurations. If DNS-over-HTTPS (DoH) cannot resolve internal domains, ChromeOS performs a local resolution as a backup.
To address the scenario of ChromeOS not allowing the configuration of customers' internal domains, use the DNS-over-HTTPS with insecure fallback configuration in Google Workspace. For detailed steps, see Enabling DNS-over-HTTPS with Insecure Fallback guide.
Virtual applianceVirtual appliance detection and backoff are not supported by the DoH-based solution because of ChromeOS limitations. However, customers are unlikely to face issues with DNS resolutions in Chromebooks because of this limitation.
APP authenticationWhile using Secure Web Gateway (SWG) for Cisco Security for Chromebook client, you might face difficulties in uploading or downloading files in apps such as Gmail and Google Drive. This problem occurs because of a proxy authentication challenge–the SWG proxy lacks the required authentication headers for specific app requests, causing errors in authorizing file transfers. For in-depth information, see SWG for Umbrella Chromebook Client file upload and download issue
Email addresses containing upper case lettersCustomers, whose email addresses contain upper case letters, will face an issue during migration to the new client. ChromeOS converts all the letters of the email address to lowercase when creating the DoH URL. This discrepancy in addresses leads to a hash mismatch, causing user traffic to be dropped by the Umbrella Policy engine.
We recommend that customers with email addresses containing uppercase letters wait for the issue to be resolved before migrating to the new client.
For more information, click here.

Prerequisites > Limitations > Google Workspace Identity Service