When using a secure DNS which is configured by name, the phone has to make a regular DNS request to get the IP of the secure server before it can start using secure DNS.
Also make sure the DNS server is accessible through the VPN tunnel. Some services blacklist well-known VPN output IPs.