They aren't recommending you don't use DoH. Just that you don't allow individual apps to bypass your enterprise resolver. In fact I use the same strategy at home (with DoT) to enforce ad and tracker blocking. It's just common sense really.
From the document:
>[...] NSA recommends that the enterprise DNS resolver supports encrypted DNS, such as DoH, and that only that
resolver be used in order to have the best DNS protections and visibility.
From the document: >[...] NSA recommends that the enterprise DNS resolver supports encrypted DNS, such as DoH, and that only that resolver be used in order to have the best DNS protections and visibility.