The following are the limitations of DNS-over-HTTPS in the context of Cisco Security for Chromebook client.

Internal domainsChromeOS does not allow the configuration of customers' internal domains, which in turn, affects configurations involving split domains or split-brain DNS configurations. If DNS-over-HTTPS (DoH) cannot resolve internal domains, ChromeOS performs a local resolution as a backup.
To address the scenario of ChromeOS not allowing the configuration of customers' internal domains, use the DNS-over-HTTPS with insecure fallback configuration in Google Workspace. For detailed steps, see Enabling DNS-over-HTTPS with Insecure Fallback guide.
Virtual applianceVirtual appliance detection and backoff are not supported by the DoH-based solution because of ChromeOS limitations. However, customers are unlikely to face issues with DNS resolutions in Chromebooks because of this limitation.
APP authenticationWhile using Secure Web Gateway (SWG) for Cisco Security for Chromebook client, you might face difficulties in uploading or downloading files in apps such as Gmail and Google Drive. This problem occurs because of a proxy authentication challenge–the SWG proxy lacks the required authentication headers for specific app requests, causing errors in authorizing file transfers. For in-depth information, see SWG for Umbrella Chromebook Client file upload and download issue

Prerequisites > Limitations > Google Workspace Identity Service