I thought what you were describing as dnssec which basically ensures the DNS server is who the DNS servers says it is. Also, as you described dnssec doesn't encrypt the payload so anyone can read what the DNS query and response from the DNS server.
Here is an example of a regular DNS query. It's in plaintext.
root@dc502wrt:~# tcpdump -nnvvi eth0 dst port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:14:15.792152 IP (tos 0x0, ttl 63, id 3068, offset 0, flags [none], proto UDP (17), length 53)
x.x.x.x.53686 > 8.8.8.8.53: [udp sum ok] 58669+ A? cnn.com. (25)
19:14:15.813902 IP (tos 0x0, ttl 63, id 3073, offset 0, flags [none], proto UDP (17), length 53)
x.x.x.x.41504 > 8.8.8.8.53: [udp sum ok] 26914+ AAAA? cnn.com. (25)
Here is what is seen when using dnscrypt-proxy2
root@dc502wrt:~# tcpdump -nnvvi eth0 host 1.1.1.1 or host 1.0.0.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:19:57.030576 IP (tos 0x0, ttl 64, id 33616, offset 0, flags [DF], proto TCP (6), length 145)
x.x.x.x.52216 > 1.0.0.1.443: Flags [P.], cksum 0xda00 (incorrect -> 0x7527), seq 2738809251:2738809356, ack 3690564401, win 1002, length 105
19:19:57.030855 IP (tos 0x0, ttl 64, id 33617, offset 0, flags [DF], proto TCP (6), length 139)
x.x.x.x.52216 > 1.0.0.1.443: Flags [P.], cksum 0xd9fa (incorrect -> 0x607c), seq 105:204, ack 1, win 1002, length 99