Comment by esbeeb

DoH is the enemy of all self-hosters. When port 443 is used, you can't discriminate on it - to perhaps monitor it, work towards debugging it, block it, re-route it, etc. DNS shouldn't be a stow-away within some other protocol like HTTP, hiding from network-level scrutiny and control.

DoT is the friend of all self-hosters. Self-hosters need to control their own DNS if they want to use SSL within their LANs, within their self-hosted VPNs, and within their own self-hosted VPN subnets especially (I use Wireguard subnets a lot). Secure DNS with TLS, sure, but this control-ability, at the port level (853), is what a self-hoster needs to keep their life sane.