How do you do split-horizon DNS if the browser goes out to some random IP for DNS instead of using the OS-supplised resolver (resolv.conf)?
If malware starts using it to contact C&C servers, how do I find the domain that's being talked to? If malware has to talk to internal DNS servers, I can examine the query log. If the malware uses Cloudflares CDN IPs for DNS, am I supposed to block all of Cloudflare?
If it's malware behaviour you're worried about, DoH is not special in any way. Malwares using tunnels (and more) to ensure connectivity to their C&C servers are commonplace.
Of course DNS is used often; it's the most convenient. But the point isn't "sometimes DNS is used"; I never claimed "DNS is never used".
The point is "DNS is not the only way and malware authors have known and used this fact". The counter-convenience you seem to be looking for — to quote your prior statement, with added emphasis: "If malware has to talk to internal DNS servers ..." — was never there in the first place. No matter how hard you try, there is no way you can force all malware ever to always talk to your internal DNS servers.
Requests take orders of magnitude more data because you have to negotiate TLS each time. Not the end of the world obviously but you will generate more traffic and observe slightly reduced performance.
You get to do session resumption or even re-use an existing session if it hasn't closed yet.
For a random third party that might still be slow but Mozilla and Cloudflare have every reason to do every trick that's safe to speed this up, including 0RTT TLS because replaying DNS queries isn't a problem.
0 = use whatever the default is (one of the below)
1 = race DoH and regular dns and use whichever replies first
2 = try DoH and then fall back to regular dns
3 = only DoH
4 = unused
5 = explicitly off
The default resolver is identical to 1.1.1.1 except it collects less data: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...