I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?
View attachment 36234
^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.
so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?
unbound - This Is The Way