[supernetworks]

encrypted DNS goes a long way towards mitigating this as well.

[dc396]

Does dnsmasq have a way to forward via DOH/DOT? (I've no idea: I don't use it myself)

[aaronmdjones]

Not at the moment; to achieve this, you typically put it behind something like dnsproxy [1][2].

I have done this on my router, along with a couple firewall rules to prevent plaintext DNS queries leaking out of the WAN port. dnsmasq is configured to talk to dnsproxy, and dnsproxy is configured to use DNS over TLS with 1.1.1.1 [3]

[1] https://github.com/AdguardTeam/dnsproxy

[2] https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq...

[3] https://news.ycombinator.com/item?id=44429118