Currently dnsproxy/AGH uses only the secondary IP for encrypted DNS resolvers (DOH/DOT/DOQ) leading to worse performance with certain providers such as Nextdns where primary and secondary resolvers are located on different countries/cities.

Best regards.

There's no "primary" and "secondary" IP address concept in the case of an encrypted resolver.

But just in case, here's the logic of selecting the first IP address to use in the dnsproxy's bootstrap:
https://github.com/AdguardTeam/dnsproxy/blob/master/internal/netutil/netutil.go#L63

If you want to use a particular IP address instead of relying on the ones that are resolved using bootstrap, I suggest using a DNS stamp with that IP address configured instead of just the domain name.

You can construct a DNS stamp here: https://dnscrypt.info/stamps