IMHO
DNS is a network function, that should be handled at the network layer and seperated from web traffic.
DNS needs to be resolvable from different locations (especially in enterprise) as you need to point people to internal resources.
DNS needs different treatment and higher priority than web traffic.
DNS should use TLS for integrity and confidentiality
DNS should use certificates for authentication
secure DNS should be on its own port
use DoT (DNS over TLS) to connect to an endpoint authenticated by DNSSEC
This can be handled in the network stack
This can be pointed at any resolver
This can be prioritised over web traffic
This uses TLS
This uses Certificates
This is on its own port
Biting the hand that feeds IT
