On 2017-06-19, Rui Ribeiro <ruyrybe...@gmail.com> wrote:
> Depending on how "evil" the ISP is, or how you want to obfuscate your
> metadata, you might want to have a look at dnscrypt
Yes, that's an option, though it does just move your trust from the ISP
to the dnscrypt server operator.
Checking dnssec (which you can do on a local recursive resolver, even
if it's forwarding through an isp or dnscrypt server) at least helps for
domains which sign their zones.