Encrypted DNS makes user tracking more difficult for service providers.
Different approaches exist
- DNS over TLS
- DNS over HTTPS
It would be nice to set this up in VyOS and let clients use VyOS as their DNS forwarder (announce automatically via DHCP) instead of manually configuring every client manually.
Cloudflare has a free implementation if you need some servers to test.
Most tutorials I found use "unbound" as DNS cache/forwarder.