Encrypted DNS (connection) profiles

Description of the feature

I think encrypted global DNS can be considered as sort of weaker VPN, which encrypts only DNS queries. But it shares multiple features. It needs another normal connection for its activation, because route to DNS server would not be provided by its connection.

Similar to normal connection, but it would never have addresses on them. It would not be tied to specific interface, but uses whatever connection provides routes needed. Mostly would need just ipv4.dns* options, and connection.dns-over-tls.

I think that would be global-dns support existing in NM improved to be managed easier way and similar to other connections. Possibly reusing existing widget parts for GUI configuration. I when defined, its default dns-priority should be higher than common ethernet, but I guess lower than VPNs.

It would allow nicer [global-dns-domain-example.net] definition, similar to normal connections.

Of course it would make sense to allow also unecrypted global DNS to define this way, as a normal global-dns allows now.

Description of the use cases

• I want to be able to install providers of popular encrypted DNS provider. (dns.google., dns.quad9.net, cloudflare-dns.com) from some package
• I want to be able to activate just selected servers, not all installed ones. (Like VPN connection, it can auto-connect also on start, right?)
• I want to be able to define encrypted DNS different from global one, just for selected private domains. Might be custom top-level-domain like .private or .lan, .home.arpa. Might be also higher level domain, like corp.example.com.
• I want to enable such server just temporarily or permanently. Auto-enable normal connections have can be reused.

References and other resources

• Support DNS over TLS on GNOME: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/750
• https://github.com/systemd/systemd/issues/33754