In part, this depends on how powerful your hardware is and whether you want to pay for additional services like a vpn. Choosing a vpn provider opens another can of worms - some are less ethical than others.
For myself, I installed stubby, which pulls dnsmasq as a dependency, to encrypt my dns lookup requests. Cloudflare, Google (how far do you trust Google?) and OpenNIC, provide free DNS over TLS:
[Tutorial] [No CLI] Configuring DNS over TLS with LuCI using Stubby and Dnsmasq