Secure DNS and transparent proxy for DNS resolution

We have a transparent proxy in a system extension. We intercept all traffic from machine using 0.0.0.0 and :: as include rules for protocol ANY. We intercept all DNS queries and forward them to a public or private DNS server based on whether its a private domain or not. In most cases, everything works fine.

However, sometimes, git command (over SSH) in terminal fail to resolve DNS and receives below error:

ssh: Could not resolve hostname gitserver.corp.company.com: nodename nor servname provided, or not known

While investigating, we found that mDNSResponder was using HTTPS to dns.google to resolve the queries securely.

While this works for public domains (not how we would want by anyways), the query fails for our company private domains because Transparent Proxy cannot read the DNS query to be able to tunnel or respond to it.

Several years back when secure DNS was introduced to Apple platforms, I remember in one of the WWDC sessions, it was mentioned that VPN providers will still get plain text queries even when system has secure DNS configured or available.

In this case, there is no DNS proxy or any other setting to enable secure DNS on the machine except for Google public DNS configured as DNS server. So my question is:

Shouldn't transparent proxy also get plain text DNS queries like PacketTunnelProvider?

And is there a way to disable/block the secure DNS feature in mDNSResponder or on machine itself? Using Transparent proxy or MDM or any other config? So that transparent proxy can handle/resolve public and private domains correctly.

Another thing we noticed that not all queries are going over secure channel. We still get quite a few queries over plain UDP. So is there any rule/criteria when mDNSResponder uses secure DNS and when plain text DNS over UDP?