Regarding native HTTPS DNS records for #ECH: Firefox recently added support for those in their code. Maybe that code helps you implement support in curl. In short: on Unix it uses `res_nquery` (glibc) or `res_query` (musl, macos), on Windows `DnsQuery_A` and on Android `android_res_nquery` (available since Android 10).
The relevant code can be found here: https://searchfox.org/mozilla-central/search?q=ResolveHTTPSRecord&path=&case=false®exp=false

@mynacol we already optionally use c-ares, which seems to me like a better approach. But there is also a challenge in adding extra resolves next to getaddrinfo as it is hard to know when it is not using plain DNS etc...

True, using another library that capsules the DNS querying is nice.
I don't get the second part. The information in HTTPS RRs is useful regardless of encryption. And getaddrinfo and the other methods should either both or none be encrypted?

@mynacol the point is that if getaddrinfo returns the information from somewhere *else* than DNS, then getting data for HTTPS over DNS for the same domain would be wrong