This is not a bug, but rather the feature is operating as it is intended to. When + operating in forced mode, private DNS requires a domain and will reject invalid + certificates to ensure that the source is authenticated, not just encrypted. Automatic + mode only uses encryption opportunistically, and must be able to fall back to + unauthenticated encryption or fall back to plaintext if the DNS server does not support + DNS over TLS or the certificate is not valid. Although this does not protect against an + active adversary that blocks encrypted communications to the DNS server or will replace + the certificates entirely to intercept the encrypted traffic, automatic will + transparently provide some opportunistic protection against a passive adversary. When a + private DNS provider hostname is specified, the phone will not proceed unless the + certificates for TLS are valid and will not fall back to an unauthenticated or plaintext + connection should the validation fail.
+