greetdnashoe
Does GrapheneOS disconnect private DNS by design?
No.
I'm using Control D, their Quick Settings app, which uses the VPN settings.
It is generally advisable to refrain from using the Control D Quick Setup app. As the developers themselves note, "This app is optional to use Control D, as we recommend the use of the Private DNS feature in Android, which requires no installed software." Moreover, given that the Control D Quick Setup app utilizes the Android VPN service, here are two pertinent quotes from the GrapheneOS FAQ:
Using the VPN service to provide something other than a VPN also means that these apps need to provide an actual VPN implementation or a way to forward to apps providing one, and very few have bothered to implement this.
The recommended approach to system-wide ad-blocking is setting up domain-based ad-blocking as part of DNS resolution. You can do this by choosing a Private DNS (DNS-over-TLS) server that supports blocking ad domains. For example, AdGuard DNS can be used by setting dns.adguard-dns.com as the Private DNS domain.
In summary, I recommend discontinuing the use of the Control D Quick Setup app and instead utilizing the Private DNS feature found in Settings > Network & internet > Private DNS to configure the hostname of a DNS-over-TLS server.