[throw0101a]

> Is there any disadvantage about activating it?

How do you do split-horizon DNS if the browser goes out to some random IP for DNS instead of using the OS-supplised resolver (resolv.conf)?

If malware starts using it to contact C&C servers, how do I find the domain that's being talked to? If malware has to talk to internal DNS servers, I can examine the query log. If the malware uses Cloudflares CDN IPs for DNS, am I supposed to block all of Cloudflare?

[pritambaral]

If it's malware behaviour you're worried about, DoH is not special in any way. Malwares using tunnels (and more) to ensure connectivity to their C&C servers are commonplace.

[throw0101a]

And how does the malware determine which IP to connect to? Often, though of course not always, they use DNS:

* https://en.wikipedia.org/wiki/Fast_flux

[pritambaral]

Of course DNS is used often; it's the most convenient. But the point isn't "sometimes DNS is used"; I never claimed "DNS is never used".

The point is "DNS is not the only way and malware authors have known and used this fact". The counter-convenience you seem to be looking for — to quote your prior statement, with added emphasis: "If malware has to talk to internal DNS servers ..." — was never there in the first place. No matter how hard you try, there is no way you can force all malware ever to always talk to your internal DNS servers.