You should never expose a DNS server publicly. Connect to your VPS through a VPN like Wireguard.
Do you have a second DNS server configured in Windows which it could use as a fallback?
Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn’t help everywhere.
Yes, https://containrrr.dev/watchtower/ is a great tool. Used it myself for a whole now.
https://www.wireguardconfig.com/