There should be no change in this behavior between Roaming Client and Secure Client. We'll look into it though.
For Firefox, it the encrypted DNS should not kick on because of the use-application-dns.net domain as noted here: https://support.umbrella...
Your instincts are correct! There's no need to run a backup of the VAs like that. If they got corrupted somehow you'd just deploy a fresh image from the dashboard.
Looks like they are having nameserver issues. Our resolved are getting no response, and it looks like many other dns services are having the same issue with them.