[isostatic]

Worst case scenario is your first hop downstream from the cable modem does port 53 interception and redirects.

However if the only ISP you can get is so hostile, the solution is to tunnel (IPSEC/SSTP/whatever works) all your traffic to a non-hostile network.

[erinnh]

Use a firewall with nat to redirect all dns traffic to a DoT or DoH dns proxy in your network.

That way you dont have to tunnel all your traffic. (Though technically you could also use the tunnel for only DNS, but its not much easier than the solution above if you want this to apply to all your devices)

[isostatic]

If they’re intercepting and changing your dns packets, what else are they doing? At the very least you can assume port 80 is unsafe, and should be tunnelled. SNI as a privacy problem too, so forward 443.