On 2017-06-19, Rui Ribeiro <[email protected]> wrote: > Depending on how "evil" the ISP is, or how you want to obfuscate your > metadata, you might want to have a look at dnscrypt > https://blog.ipredator.se/openbsd-dnscrypt-howto.html
Yes, that's an option, though it does just move your trust from the ISP to the dnscrypt server operator. Checking dnssec (which you can do on a local recursive resolver, even if it's forwarding through an isp or dnscrypt server) at least helps for domains which sign their zones.
