What's the point of confidentiality for DNS? Can't an attacker pretty easily get IP-to-DNS mappings to discover who you're talking to? I guess not in the case of VPNs/TOR?
DNS hijacking is real and very annoying. The main benefit of these protocols is in the integrity of the DNS resolution data. It allows you to use any DNS server you want, without having your ISP modifying their responses.
Not in the case of Tor, but also not in the case of almost all/most cloud hosted services.
For example, consider that Cloudflare proxies about 10% of the Internet. Well, if you request a site they proxy, and DNS is in the clear, it's obvious who you are connecting to.
But if you request a site and the DNS is encrypted, you could be visiting any one of 10% of the sites out there.
Similarly, if hosting on AWS or Google Cloud platform, there's a LOT of other services hosted in those IP blocks, and IPs change frequently, so there's a significant degree of ambiguity.
This is all in addition to fixing the threat of DNS leakage for VPN/Tor connections.
CloudFlare's customers can choose whether the backhaul, between CloudFlare and their own web servers, is HTTP, HTTPS with a CloudFlare issued private certicate, or HTTPS using publicly trusted certs from the Web PKI.
If you choose either of the latter two options, bad guys can't MITM you, the middle option has the benefit that they can't even MITM you by subverting a public CA (since only CloudFlare's own certs are trusted) the latter option has the benefit that you can "just" switch off CloudFlare and your site now works as an ordinary HTTPS site with no changes, if you ever want to do that.
Here is my story why I tried dnscrypt: https://medium.com/@nykolas.z/ending-dns-hijacking-with-dnsc...