The US National Security Agency has warned enterprises regarding the use of externally hosted DoH capable DNS servers. NSA said that DoH is not capable of completely preventing malicious actors from viewing the traffic coming to the user. When it’s deployed inside the networks, they can be leveraged to bypass various security measures that depend on sniffing traditional DNS traffic to identify threats.
The organization has urged organizations to avoid using external DoH servers or opt for internal DoH-capable DNS resolvers to improve security and ensure that the server is under their control.
Source: zdnet