pfSense allows for an “out-of-the-box” ish gateway for most users, but it is a little overkill if your main concern is your ISP and their government de’jour snooping on your DNS traffic.

1. Get a router that is not your ISP router. Unless there is some rare chance they let you configure some other DNS. Even rarer chance it will be encrypted DNS.

2. Update your router firmware and check to see if it supports encrypted DNS. I updated my Asus mesh wifi a few months ago and was pleasantly surprised to see it supported forwarding to encrypted services and it works great.

3. Configure your end clients at the very least. Most modern browsers and even operating systems are starting to configure stand-alone encrypted DNS resolution. Five years ago this was a nightmare to setup. Today it’s a breeze.

4. Huge recommend for Technitium, https://github.com/TechnitiumSoftware/DnsServer. Switched to this from pi-hole and never looking back. It focuses more on privacy, compatibility and security than block lists, but I found it to be way faster in my testing.

Thanks for coming to my TEDx.

Encrypted DNS is a meme. Use Opnsense + VPN + VPN DNS.