I am interested to know how you set up your DNS resolver? What DNS provider do you use?
Winston hijacks all unencrypted DNS, upgrades it to encrypted DNS through Cloudflare. DNS entries are cached for 60 minutes by default.
The default is to always encrypt traffic, but if both providers go down Winston will fail over to unencryupted to allow you to continue to use the Internet.
Today, users are not able to change the DNS encryption, themselves, but we are discussing allowing it in the future.