[t0astbread]

Performance over privacy is a fine tradeoff but if you have the means to, I would recommend avoiding unencrypted unauthenticated DNS over UDP/53. It's probably not a big threat in practice but if someone were to intercept your DNS traffic, they could redirect your internet connections to a different server. TLS (or other forms of authentication) should handle authenticity issues but (probably) not everything on your system mandates TLS.

If I'm not mistaken you can use DNSSEC to authenticate, but not encrypt, your DNS requests. For me however, the simpler way was to just use DoT/DoH. I haven't noticed any slowdowns.

If you care about performance, you could check if your system caches DNS responses and configure that cache accordingly.

[tptacek]

You are not mistaken; DNSSEC doesn't encrypt records, and DoH does. DoH also authenticates the channel between you and your name server. It's likely that DoH will ultimately obviate the need for DNSSEC anywhere.