DNSSEC protects against that for well-configured domains, though you can't assume people put in the effort.
You can use ODoH (https://blog.cloudflare.com/oblivious-dns/) to double-encrypt your DNS requests and forward them through an external server, disconnecting your query from your response, and encrypting your upstream DNS requests. You can pick any relay from this list: https://download.dnscrypt.info/dnscrypt-resolvers/v3/odoh-re... (need to de-base64 them to get the actual domain) and any upstream DOH server you prefer.
> DNSSEC protects against that for well-configured domains
This isn't effective against DNS-level censorship, though. A DNSSEC validation error is just as effective as a fake NXDOMAIN or bogus IP at keeping me from visiting the correct site.
It works in the sense that at least you can know your ISP is messing with your DNS. If they mess with DNS, they might as well just block an IP (range), so a DNS alternative probably won't bypass most censorship. You're better off with a decent VPN at that point.
I temporarily agree with this, but once TLS ECH gets widely deployed then I won't. I can see an ISP blocking a single domain, but not all of Cloudflare just because it's hosted there.
This isn't effective against DNS-level censorship, though. A DNSSEC validation error is just as effective as a fake NXDOMAIN or bogus IP at keeping me from visiting the correct site.