What’s the threat model here? I can think of no DNS shennanigans that would not be detectable through the authentication mechainsms in TLS (chain-of-trust). Not having to trust network infrastructure is exactly what TLS is for.
What is it that you’re doing that is still not using some form of authenticated encryption? Almost everything is https, ssh, almost all mailservers have tls support, irc does have tls support…
What’s left that needs to be encrypted by a VPN?
What’s the threat model here? I can think of no DNS shennanigans that would not be detectable through the authentication mechainsms in TLS (chain-of-trust). Not having to trust network infrastructure is exactly what TLS is for.