So I'm not big into DNS and I don't have a firm grasp on all of these techniques, but I have an idea.
This is all just a big game of who are you hiding from right? If you hide from your ISP, now you have to trust the DNS server provider. Who among them are to be trusted? For example I'm pretty sure I could set up a DNS proxy somewhere in the "cloud" on some minimal operating system, then run ipsec in transport mode between my router and that server, and point all my clients to my proxy. There, I've successfully hidden from my ISP. I could do it over IPv6 just to be extra obfuscated. But does my ISP now get interested and ask the cloud provider where my DNS traffic is going, then they ask the DNS server provider on the other end? This is all very black helicopter type of stuff but I suppose it's possible. Is this really how far it goes? Do I really have to do everything through Tor? Maybe I missed something. Andy