Add mechanism to disable unencrypted DNS queries

NextDNS can accept unencrypted queries on port 53. For security reasons, it would be useful to be able to block all such queries.