If you are looking for self hosting local resolver then just make sure its not accessible from public Internet. If you wish to host your own authoritative DNS server for your domain names then just configuring query rate limiting will mitigate DoS or DNS amplification attacks. I have been self hosting all my domain names since 2+ years now and its not much of an issue.
Its actually much more beneficial to use a local DNS server even for a single user. A single user will keep querying for DNS requests since OS/apps cache DNS only for a minute or so. Local DNS will keep cache for the full TTL of the record and thus reduce the number of DNS requests that go out of your network. Plus there is Serve Stale feature which improves resiliency. For privacy, depending on your scenario, you can either run recursive resolver or use encrypted DNS protocols to hide DNS from your ISP. There is also support for configuring SOCKS5 or HTTP proxy to route requests via another server or via Tor network.
It does what pi-hole does and a lot more. Has encrypted DNS protocols like DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC support and also has built-in recursive resolver.
Sure, but its not what pi-hole does or support. You need to install another software and forward requests to it. Technitium DNS has this feature built-in along with support for DoT and DoQ, including support for DoH/3.
Same can be said about IP-based blocking that firewalls employ. IP-based blocking can also be bypassed by using various tunneling techniques but that does not make it useless. Having DNS based control in addition to IP-based control is much useful for most scenarios.
Why DoH and not DoT? DoT be much more suitable and provides same set of guarantees since both are essentially using TLS. DoH provides only one extra thing that is to make it difficult to block. If you run DoT over port 443 then it essentially becomes same as DoH in terms of difficult to block.
"The major criticism of DoH is Firefox enabling it by default and overriding the existing system DNS configuration, requiring manual reconfiguration of arbitrarily many client devices to change it back to the way it was. There can obviously be no legitimate objection to it if it is disabled by default and only used when explicitly enabled by the user."
+1
Firefox should also consider that such network settings are only accessible to root or administrators such that organizations can maintain network policies for the devices they own in their network.
"Is security policy via DNS really a good way to go? There are other, imo more effective, ways of handling this. If your security policy can be defeated by using a DoH resolver, it’s evidently not very hard to bypass."
Same argument can be done for firewall that filters traffic using IP addresses. In the same words, it can be said that, if your firewall security policy can be defeated by using VPN, its evidently not very hard to bypass.
Just like firewall is useful for security, so is DNS based policies.
Cloudflare is doing good job but, the concern is centralization. Its not going to be good to have most internet resources being resolved via Cloudflare DoH, then accessed via Cloudflare CDN.
ESNI will take a lot of time to gain meaningful market share. There are people still arguing that their website does not need to use HTTPS since they are just a static website or do not have login/user data. Such people completely fail to understand that HTTPS is not to protect them but to their end users from MiTM script injection attacks.
DoH and DoT are not really providing privacy unless ESNI is fully developed and deployed by most websites. DoT and DoH do provide security since with plain old DNS, literally anyone in your network path can spoof responses.
Round robin providers is really bad idea. Its like leaving your foot print in literally all places.
Best is to use Tor Browser if you really need privacy.
https://blog.technitium.com/2015/05/technitium-bit-chat-rele...
I had released that 10 yrs ago lol.