Like you already said, maybe “DNS-Server” will be a feature at some point… However I also don’t see it as a needy feature right now… Imo the “DNS-Forwarding”-option is already good enough for most usecases, where VyOS is configured as router or “lite-firewall” etc… Also as mentioned, this would probably put high amount of work on top of the project/maintainers to make stable and feature-rich, which should be used to improve other parts of the system right now instead imo…
Before the original post I’ve already thought about the options that both of you have mentioned, aswell as of a few others in this specific situation (AdGuard on RPi, Configuring DoH on a WS DC, etc.)… But in this specific case/environment, the possible problems that can be caused aswell as the maintanence and effort in general, probably isn’t worth it… Also simple “set system name-server prefer-secure” or “set sytem name-server 9.9.9.9 dot” etc. would’ve been perfect…
EDIT:
While doing some more research on Github, I’ve found a commit from march this year, which allows to use a custom port when specifying a forwarding name-server: dns: T5113: Support custom port for name-server forwarders by indrajitr · Pull Request #1914 · vyos/vyos-1x · GitHub
eg. set service dns forwarding name-server 9.9.9.9 port 853
This then automatically uses an encrypted connection.
Also, there already is a task open for this topic, which I was unable to find until now… ⚓ T2195 Support for encrypted DNS: dnscrypt, DoH, DoT, anonymized DNS
Still thanks for your effort and good input.