From a presentation he's done on DoH (he's done a few):
> 2. DoH creates a new class of exfiltration risks
[…]
> When DNS traffic goes through the HTTPS port, it becomes completely indistinguishable from web traffic, or as Paul said, “paints us all with the same brush.” It is this lack of visibility where the trouble happens. Consider a CISO who wants to use DNS as a strategy to protect their network. Or consider a network team who need to block or sinkhole traffic. With DoH, that’s not possible.
> Since DoH changes the security perimeter and controls that were once possible with conventional DNS, this a potential vulnerability that bad actors can exploit. Paul’s biggest concern is “every botnet from now on is going to be coded to use DoH.” That will cause headaches for everyone in a company’s IT organization.
> Most quotable moment: “What we’ve done here is to create a new class of exfiltration risk that we can expect every intruder whether hardware, software or [meetware 00:56:41] is going to be using “ – Paul Vixie
Vixie has been doing DNS since ~1998, wrote/maintained BIND 8, co-founded ISC (which maintains BIND 9 and DHCPd), and a bunch of other Internet-y stuff such that he's in the Internet Hall of Fame:
He's an authority on the DNS, but that doesn't mean he's right about everything to do with it. He's an advocate for DNSSEC, for instance, which is a fiasco. In this instance, his concern about DoH enabling malware or closed-source devices is incoherent (none of these bugbears even need to use DNS at all if they don't want to). The concern DoH addresses, meanwhile, is not abstract: if you're in the US on a major ISP, it's almost certain that your ISP is monetizing your DNS lookups.
> 2. DoH creates a new class of exfiltration risks
[…]
> When DNS traffic goes through the HTTPS port, it becomes completely indistinguishable from web traffic, or as Paul said, “paints us all with the same brush.” It is this lack of visibility where the trouble happens. Consider a CISO who wants to use DNS as a strategy to protect their network. Or consider a network team who need to block or sinkhole traffic. With DoH, that’s not possible.
> Since DoH changes the security perimeter and controls that were once possible with conventional DNS, this a potential vulnerability that bad actors can exploit. Paul’s biggest concern is “every botnet from now on is going to be coded to use DoH.” That will cause headaches for everyone in a company’s IT organization.
> Most quotable moment: “What we’ve done here is to create a new class of exfiltration risk that we can expect every intruder whether hardware, software or [meetware 00:56:41] is going to be using “ – Paul Vixie
* https://bluecatnetworks.com/blog/3-takeaways-from-the-dns-ov...
Vixie has been doing DNS since ~1998, wrote/maintained BIND 8, co-founded ISC (which maintains BIND 9 and DHCPd), and a bunch of other Internet-y stuff such that he's in the Internet Hall of Fame:
* https://www.internethalloffame.org/inductees/paul-vixie
See also "DoH Policy Conference - The Consequences of Encrypting DNS":
* https://www.youtube.com/watch?v=9CKxIHSlfgg
From some BSD conferences:
* https://www.youtube.com/watch?v=ZxTdEEuyxHU
* https://www.youtube.com/watch?v=8SJorQ9Ufm8