> Isn't that what [axfrdns](https://cr.yp.to/djbdns/axfrdns.html ) from > djbdns is made for?
It's the "S" in "HTTPS". The whole point of the exercise is to have end-to-end encryption and server authentication between you and the DNS server. Otherwise it's dumb, it just adds overhead. If you trust the path between yourself and your DNS server (e.g. because it's on your home router), just use plain old DNS-over-UDP. <3,K.