DNS over TLS / DoT as a private Service (authentication) possible?

I have set up an DNS resolver and nginx upstream server as a working "DNS over TLS" server. (and DNS over HTTPS but android uses TLS)

This works great so far, but my wish is to make it private with some kind of authentication.

Only specific Users should be able to use it.

The problem is ..... for example in android devices, it is only possible to enter one single "private DNS Server" - i have found no suitable authentication method for this scenario.

Does anyone has an idea how to "make my DNS over TLS Server private with Android 9" ?

possible "almost solution": Configure nginx to allow only connections from specific IP addresses. (generate allow IP-Address-list via script and include)

This has the major problem, that when the IP changes, maybe the client is no more able to resolve the DoT neither the DynDNS Provider.

Not tested yet, but this should not be the preferred solution I think. Suggestions welcome.

Neither DoT nor DoH are really specified or implemented with client authentication in mind.

Even though one could imagine leveraging protocol features like client certificates (either) or HTTP authentication mechanisms (DoH) or even TSIG (either), actual normal clients don’t implement these.

For DoH, however, you have the option of just putting a secret in the path component of the URL. So there you have a simple option that doesn’t require that the client even knows that it’s authenticating.

Other than requiring client functionality that is not normally in place, I think you’ll have to resort to limiting access by IP for DoT.
(In theory I guess you could inspect SNI, expecting a secret in the hostname, but that would be very weak as the supposed secret would not be kept secret. Doesn’t really fly, but the hostname is the only config parameter for eg the Android client so there aren’t really a lot of options.)