My new hero! Love to be in his wolfpack!

Love that you are sharing this information! I went down the DNS rabbit hole a few months ago and thought I'd share a few things I learned in case it helps anyone. First off, everything you said here is consistent with my experience. A few other things I learned based on my research and conversations with others: -Even using Unbound locally, ISPs can see your DNS requests when Unbound makes plaintext DNS requests to upstream root name servers. Running all traffic through a VPN (including Unbound traffic) can help with this. On the flip side, having a local DNS cache will reduce the number of DNS requests your system needs to send upstream, enhancing privacy. -As you discuss, encrypting DNS requests using DoH or DoT helps with privacy. DoH uses HTTPS protocol and is hard to block on networks since it uses the same port as HTTPS (443). By default DoT uses a different port (853) and is easier to block, but some argue this protocol offers modestly better privacy. However, I understand DoH and DoT protocols still use plaintext DNS to initially resolve a hostname (but this level of technical detail on DNS protocols is above my pay grade). For my setup, I started simple, with a local pi-hole and unbound, but ultimately wanted to overcome the plaintext issue and maximize privacy. After getting comfortable with the first setup, I started testing more complex setups to try to further enhance privacy. I ultimately landed on running local DNS on a linux server and encrypting upstream requests using DNSCrypt for all LAN traffic; these requests are sent through anonymized DNSCrypt relays to the DNSCrypt DNS resolver. My setup uses a load-balanced and anonymized approach to about 8 different "no-log" servers globally so I shouldn't need fallback DNS servers. This way, all traffic is encrypted from start to finish, the relay knows my IP address but not the DNS request (since it's encrypted); the DNS resolver knows the DNS request but not my IP address (since only the relay sees that). Compartmentalizing data is the risk mitigation strategy there, along with encryption. This is a more complicated approach to do the command line work and config file editing to get DNSCrypt to work this way but so far so good. More info on DNSCrypt is here if you're interested: https://dnscrypt.info/ For mobile, I 100% agree...all of my mobile devices use either an AdGuard DNS or NextDNS (all encrypted traffic, no plaintext). I also played with ControlD but didn't use them, really no good reason other than I didn't want three different DNS accounts. I'd also recommend using email aliases to set up the accounts and a privacy payment setup so they don't have your actual email or credit card info. Last, if you can configure logs, set them for a short period of time (so you can troubleshoot if good websites are being blocked) and pick a privacy friendly location for the server (NextDNS allows you to pick a server location, although it's a small list). For travel routers I also 100% agree...I run my travel router through either NextDNS or using a similar approach as with my or LAN through anonymized DNSCrypt servers. It was a bit of a headache going through this process, but a great learning opportunity and great way to increase privacy; most people have no idea about DNS and how that system works and leaks data. Your guide would have saved me a lot of time. 😀