I am interested to know how you set up your DNS resolver? What DNS provider do you use?
Winston hijacks all unencrypted DNS, upgrades it to encrypted DNS and randomly distributes it to one of our two providers, Cloudflare and IBM Quad 9/X-Force. DNS entries are cached for 60 minutes by default.
The default is to always encrypt traffic, but if both providers go down Winston will fail over to unencryupted to allow you to continue to use the Internet.
Today, users are not able to change the DNS encryption, themselves, but we are discussing allowing it in the future.