The privacy angle here is wrong, or at least incomplete.
The reason for that is that your ISP is most likely capturing all your unencrypted DNS traffic (port 53) to build that exact profile of you.
And unlike CloudFLare or Google, your ISP, which often is also the company from which you get your mobile phone subscriptions, now knows where you live, who you are, what your family looks like and which specific websites you visit.
Cable/Fiber modem manufacturers are also known to do exactly this kind of data collection. There was a recent example of this where it happened with firmware directly on the cable modem for a Dutch provider.
Running your own DNS server does not change this at all. From a network perspective this is the same: unencrypted DNS that anyone in the middle can see and record.
The only way to work around companies upstream from you is actually to use a DNS forwarder combined with some form of DNS privacy (encryption). A very good way is to have a local DNS Server that forwards to a outside trusted DNS server over DoT or DoH. Both of which are encrypted. Your ISP can see the traffic, but they can't see inside it and find out what DNS queries you do.
That means your devices on your local network can just talk "plain" DNS port 53 like they always do, to your self hosted DNS server. But your self hosted DNS server will then forward those queries to a trusted server _outside of your and the ISP network_ over an encrypted channel.
Note that I do not trust my ISP (Bell Canada) but I do feel ok with using Google and CloudFlare. That is my personal choice and not a recommendation. You can probably find better options - they do need to support DoT or DoH though.
st3fan•1h ago
The reason for that is that your ISP is most likely capturing all your unencrypted DNS traffic (port 53) to build that exact profile of you.
And unlike CloudFLare or Google, your ISP, which often is also the company from which you get your mobile phone subscriptions, now knows where you live, who you are, what your family looks like and which specific websites you visit.
Cable/Fiber modem manufacturers are also known to do exactly this kind of data collection. There was a recent example of this where it happened with firmware directly on the cable modem for a Dutch provider.
Running your own DNS server does not change this at all. From a network perspective this is the same: unencrypted DNS that anyone in the middle can see and record.
The only way to work around companies upstream from you is actually to use a DNS forwarder combined with some form of DNS privacy (encryption). A very good way is to have a local DNS Server that forwards to a outside trusted DNS server over DoT or DoH. Both of which are encrypted. Your ISP can see the traffic, but they can't see inside it and find out what DNS queries you do.
That means your devices on your local network can just talk "plain" DNS port 53 like they always do, to your self hosted DNS server. But your self hosted DNS server will then forward those queries to a trusted server _outside of your and the ISP network_ over an encrypted channel.
I do this with Unbound and the following config https://gist.github.com/st3fan/22ac09b7219b29f446a45d6cc599c...
Note that I do not trust my ISP (Bell Canada) but I do feel ok with using Google and CloudFlare. That is my personal choice and not a recommendation. You can probably find better options - they do need to support DoT or DoH though.