[0xquad]

They are responding to the very recent emergence of applications (like Firefox) that (optionally) use their own encrypted DNS, thus bypassing the enterprise's ability to apply security policy based on DNS. (Visibility on DNS is also useful to help detect some malware.) I'll allow it.

[vaduz]

It's clearly also spurred by the attempts to further obfuscate the use of DoH via Oblivious DoH [0] - though they don't go into much details on it.

[0] https://news.ycombinator.com/item?id=25344358

[Daho0n]

>thus bypassing the enterprise's ability

I think you could change it to read " bypassing the NSA's ability" and find the real reason behind this.

[0xquad]

They aren't recommending you don't use DoH. Just that you don't allow individual apps to bypass your enterprise resolver. In fact I use the same strategy at home (with DoT) to enforce ad and tracker blocking. It's just common sense really.

From the document: >[...] NSA recommends that the enterprise DNS resolver supports encrypted DNS, such as DoH, and that only that resolver be used in order to have the best DNS protections and visibility.