Looks like they rolled out changes to how DoH is handled in “managed” browsers (when any policy whatsoever is present).
If you see “managed by your organization” in the Kebab menu (tripple dot)
That means Chrome, in order to prevent rollout issues breaking DNS filters, won’t show the “Secure DNS lookups” in chrome://flags/#dns-over-https.
I had a bogus policy set up from some stuff I was trying, so it was hidden from me. Removing it shows:
Now, as to which DNS over HTTPS server it chooses is based on the existing DNS servers your DHCP is sending (or the servers configured in windows/macos, not sure).
See this commit:
It uses the DNS set up to choose the DNS server it should upgrade to. If your Router is broadcasting 1^4 IPs as the DNS endpoint to use, Chrome should use 1.1.1.1’s DoH server and https://1.1.1.1/help should show DOH enabled.