Encrypted DNS protocols are gaining more popularity as tools to increase privacy. Most clients don't support them yet, while some do (f.e. Firefox), thus a way to listen for unencrypted DNS requests and forward them as encrypted is very welcome.

I evaluated two options:

• dnscrypt-proxy
  
  The features list is too long to include, its main advantages are support of: Tor, SOCKS proxies, anonymized DNS relays, filtering lists, load balancing with various strategies (including round-robin to further increase privacy), automated background update of resolver lists, built-in DoH server,...
  
  It can act as a:
  • standard DNS, DoH server
  • caching forwarder
  • load balancer
  • DoH, DoT, dnscrypt client

• dnsdist
  
  It can act as a:
  • standard DNS, DoH, DoT, dnscrypt server
  • load balancer
  • (in combination with pdns-resolver: standard DNS caching forwarder or resolver)
    
    It can act as a encrypted DNS server, but not client, so itself alone is not suitable to use. It's also not a full caching resolver, but just a load balancer with some optional basic packet caching. Its companion, PowerDNS resolver is currently used in VyOS as the "service dns forwarding" server, but it doesn't support encrypted upstream connections.

My choice would be to initially include dnscrypt-proxy, then maybe later dnsdist to add DoT/dnscrypt server support. The config syntax would need to be evaluated, if there are no conflicts with existing service dns forwarder, include it there, otherwise add a "service dns dnscrypt-proxy" node.