People are upset about Firefox's new default of routing DoH to Cloud Flare, and I understand why. But it's useful to keep the issues distinct: DoH is a good thing (your ISP should not be able to see your DNS queries), even if routing them to Cloud Flare isn't.
It seems interesting that the article and many comments here identify the application level as inherently wrong and the OS level as inherently right.
What if you were running docker containers on a server?Is it incorrect for the containers to set their own resolver settings?
For generic containers, it is. If you build your own very customised app, then sure, you can control what it does. But if you build an app, you don't know where/how I deploy it. It may be without internet access. It may be expected to use private DNS zones. It may be expected to query mdns. The container should not guess or assume those things.
That said, I also think that there’s no absolute truth for what constitutes a “specialized use case”. I think if I’m the operator of a network, or a computer, or a container, or an application, having it use custom DNS settings is up to me. And Firefox/Chrome enable that: the operator can change the setting to whatever they want.
Speaking to the default case, Firefox/Chrome moving towards DNS defined at the app layer smells painful to me as a network operator, but ISP DNS interception also smells to me, and for the normal consumer threat model and network topology, Firefox/Chrome using CloudFlare DNS is essentially pure win. Most consumer users aren’t on networks with split-horizon DNS, and most consumer users aren’t at risk from CloudFlare logging their DNS requests, even assuming they’re violating their published privacy policies.