[throw0101a]

> People should cut it out with the split horizon DNS.

We have a bunch of internal-only 10.x hosts and services. Why would we put them in our external DNS?

> If you need malware to be nice and use your configured security systems or else it'll cause problems I have bad news for you: the malware authors aren't on your side.

I don't. But if I see DNS traffic flowing from systems that are not our internal DNS servers, I know to look at them.

It's the same reason SMTP traffic was bottlenecked: everything goes through relays so it can be monitored.

> If your defences begin by assuming bad guys are only doing things that obey all your rules you've fundamentally misunderstood what "bad guys" even are.

Defences begin with observation. With DoH you can't tell what's going on with regards to queries. I'd much rather have DoT: still gives privacy, but since it has its own port, then it can be dealt with more easily. Of course having an IANA-assigned port allows for ISP/government filtering.