[1vuio0pswjnm7]

As of today, how many DOH servers are running from IP addresses also used for serving websites. In the testing I have done with publicly advertised DOH servers, generally, the IPs are only used for DoH (sometimes DoT, too). Of course this could change.

The localhost forward proxy I use can distinguish DoH requests from other HTTP requests because the DoH query URL structures used are mostly the same; they follow RFC8484. As of today, it is easy to probe IP addresses for listening DoH servers. The list of "known DoH hosts" is still quite small. Of course this could change.

To be clear, I am defintely not a proponent of applications ignoring user system-wide DNS settings and using DoH to obscure that fact. I have long run localhost root and DNS for myself and have no need for third party DNS, whether ISP or open resolvers.

However, as an end user I see no reason to trust any outgoing HTTPS traffic from applications authored by folks who are agreeable to online advertising as a business model.

The greatest threat I face is online advertising, not DNS lookups associated with malware. With DoH, HTTPS traffic could contain an unwanted DNS request, but prior to DoH it could also contain data to be used for tracking and advertising purposes. I felt the need to start monitoring/MITM'ing the HTTPS traffic on the private networks I control long before anyone proposed DoH. I would guess many corporations and other organisations do the same.