DoT port is unique matching both IPv4 and IPv6 traffic, so filtering by port works well.
DoH uses the same port as HTTPS, so we need to filter by the destination IP address.
There are many public DoH servers, and filtering them all efficiently relies on IP sets.
Each IP set contains only IPv4 or IPv6 entries, so a couple of sets/rules is necessary.