I had my private DNS set to "dns.adguard.com" for a long time with no issues. I have also been running a wireguard VPN more recently. The wireguard VPN is not in lockdown mode, ie "Block connections without VPN" is off. Also, in the wireguard app I have allowed IPs for the endpoint only set to the VPN subnet like "10.x.x.0/24" so only traffic intended for the VPN gets routed there. I can check that I open a browser and go to e.g. speedtest.com my IP is my home IP rather than the VPN endpoint.
Anyway I have noticed lately that under "Private DNS" the status is reported as "Couldn't connect." I think that in the past I didn't see this message even with the VPN on but I can't be sure. If I disable the VPN, the "Couldn't connect" message is gone and the status reads "dns.adguard.com" as expected. This seems to happen regardless of DNS provider. HOWEVER, even with the VPN on and the Private DNS set to dns.adguard.com and the "Couldn't connect" status message present, I do seem to get filtered DNS. If I try to ping "google-analytics.com" for example I get replies from 127.0.0.1. If I turn off Private DNS (VPN still on) I get replies from the Google 1e100.net domain.
So Private DNS with non-lockdown VPN seems to be working as expected... why does it say "Couldn't connect" then?