[nine_k]

The point is in not showing the watching adversary any DNS names at all. You do DoH, you do the IP cert, you enter TLS before naming any names. The www.secret.com is never visible in plaintext.

Only helpful if the IP itself is not incriminating or revealing, that is, it's an IP from a large pool like Cloudflare, GCP, AWS, etc.

To my mind, it's much more interesting to verify that an address like 1.1.1.1 or 8.8.8.8 is what it purports to be, but running UDP DNS over TLS is still likely not practical, and DoH already exists, so I don't see how helpful is it here.