Some follow up on thsi topic
I was interested in this when it was first announced, I do agree with you on the you point where you should encrypt DNS than non-encrypted DNS.
It wasn’t that hard to set up my own DNS over HTTPS server at home, I got it running in about a hour all up, with the DNS HTTP server running on Debian 10 using this project (https://github.com/m13253/dns-over-https)
Built a Debian Box.
Changed the doh-server.conf to listen on (looks like a bug as couldn’t get it to just is 0.0.0.0/0). Then removed Coudflare & Goggles public and pointed it too the two internal DNS resolvers.
Created a new dns.conf file on my reverse proxy.
Extend the Lets Encrypt Cert.
Done.
All seams to work. I san see the Requests & Replays when i do a TCP dump on the Reverse proxy.