If you want to prevent MitM attacks, run a local DNS server with DNSSEC. DoH is a trend in the wrong direction. The more IoT garbage begins using DoH, the less control over your privacy you will have. Solutions like pi-hole are rendered useless by DoH.
Since virtually none of the most popular domains are signed, going to the trouble of installing a local DNSSEC server isn't actually going to protect you from anything. Meanwhile: if you're in North America, your ISP is almost certainly collecting and warehousing your DNS queries, and DoH immediately breaks that. Plenty of people use DoH through Pi-holes, for what it's worth.
Not all MitMs inject malicious responses; denial of service is equally problematic. If you can block DNS requests via a pihole, so can your upstream ISP (whether it's because they want to throttle your internet usage, or police it, or whatever else).
And even just a passive observer snooping on your DNS requests can result in an invasion of privacy.
I agree on all counts, but DoH removes control and choices that I want to keep. pi-hole itself supports DoH. It's a good way to protect privacy and keep control.
