My recommendation is to support "DNS X-Proxied-For" -> quick win: DoH, DOT, DNSCrypt, Loadbalancing, dns rulesets with dnsdist.
The effort for "DNS X-Proxied-For" should be much less than implementing all crypto topics yourself, dnsdist is also already tested.