I've done a fair bit of talking and research with DoH. To summarize,
the problem is it removes the distributed part of the domain name
system by basically drastically reducing the number of resolvers in
use. That in and of itself might be acceptable if DoH (and DoT)
bothered to fix some of the more fundamental flaws of DNS security
instead of slapping on a level of encryption and going "yeah that's
good".

It also marries all the pain of the WebPKI to the DNS ecosystem, when
the former depends on the latter to check revocation information
through AIA/OCSP/CRLs.
Michael

On Tue, Nov 19, 2019 at 3:25 PM Sam Lanfranco <[log in to unmask]> wrote:
>
> I could do with some expert opinion and enlightenment here. From what I read the following move is likely to have a negative effect on the security of the DNS system.
>
> From circleID: Microsoft Announces Plans to Adopt DoH in Windows
>
> Microsoft announced today its plans to adopt DNS over HTTPS (DoH) protocol in Windows and will also keep other options such as DNS over TLS (DoT) on the table for consideration. "[S]upporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic," noted company in a post." Microsft further added: "For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server."
>
> For commentary on the issue: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
> Sam L.
>