It can’t be fully secure but you can use a domain or path with a uuid or similar such that no one could guess your dns endpoint, over dot or doh. In theory someone might log your dns query then replay it against your dns server though.

You could also add whitelisting on your dns server to known IPs, or at least ranges to limit exposure, add rate limiting / detection of patterns you wouldn’t exhibit etc.

You could rotate your dns endpoint address every x minutes on some known algorithm implemented client and server side.

But in the end it’s mostly security through obscurity, unless you go via your own tailnet or similar