[YarickR2]

Well, now CF will know per-organization IT structures. All those LAN-only administrative interfaces, and, with link prefetching, internal resource maps could be built in just a few clicks , using account with sufficient privileges. This is such a security-defying move by Mozilla I can't even start. And CF DNS logs will be the obvious first step for every targeted attack.

[comex]

Sure, if your targeted attacker has managed to compromise Cloudflare first… Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi access to your network, those domain names are already leaking to other DNS providers whenever someone accidentally accesses a URL while on the wrong network.

Also, if your internal resources are using publicly trusted SSL certificates, the domain names are already being broadcast to the public thanks to Certificate Transparency. If you’re sophisticated enough to run a private CA for them, then you’re probably sophisticated enough to set up use-application-dns.net as well – though I still wouldn’t recommend ever treating domain name secrecy as a meaningful security boundary, considering how many ways they can be leaked. The remaining possibility is that your internal resources aren’t using SSL at all... in which case you have bigger problems than domain name leaks.