I haven’t done it yet. I was busy setting up the second sys-vpn, then I tested dom0-live in btrfs. Now I’m waiting for qubist post about dnscrypt-proxy. For now, I’ve only added dns-over-tls to some appVms
/rw/config/rc.local
systemd-resolve --set-dns=9.9.9.9 --set-dnsovertls=yes --interface=eth0
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl restart systemd-resolved