How much to encrypt?
For a small part of the dispute, there is the noise about DNSSEC vs DNSCurve. DNSSEC is more widely deployed, but Daniel J. Bernstein (author of DNSCurve, and also the discoverer of Elliptic Curve 25519 and other important work, but a rather difficult individual to work with) has denigrated DNSSEC as a "DDOS amplifier." However, by considering encryption to be "free," DNSCurve would eliminate DNS caching, and the load on authoritative DNS servers would increase... dramatically. So nobody uses DNSCurve.
Because nobody uses DNSCurve, your every DNS query is open to interception and manipulation. DNSSEC makes it harder to forge the responses, but that may be small comfort when you're jailed for looking up torproject.org.
What I'd like to see is IPsec with opportunistic encryption, but I don't expect that to be widely available... ever.