I'm trying to decide what option I prefer here in terms of privacy. I'm curious of other's opinions on the issue, and if anyone has a better solution to offer more privacy.
Option 1: Hosting a local recursive DNS
I currently have a device running Pi-hole on my local network. I recently set it up as a recursive DNS server using unbound. This allows me to no longer rely on a public DNS such as GoogleDNS, OpenDNS, Cloudflare, etc. for my queries, and just point straight to the root servers.
Pro: I removed a "pair of eyes" (Public DNS) out of the equation
Con: All my queries are not encrypted so my ISP (and potentially others) can still see my DNS queries
Option 2: Using DNS over HTTPS (DoH) using Cloudflare's client
With this option I would use Cloudflare's cloudflared daemon they provide on their website. This would allow all my queries to be encrypted when sending them to Cloudflare.
Pro: Encrypted DNS queries from my local network -> Cloudflare's servers. My ISP can no longer see my DNS queries
Security Pro: Helps prevent MitM attacks
Con: I now have a Public DNS back in the equation, which I have to put some trust into. Also, my queries are most likely only encrypted from my local network -> Cloudflare's network. When Cloudflare has to do the recursion, those queries may be not encrypted (my assumption is they will most likely be not encrypted)
Possible Con: Does Server Name Indication (SNI) "leaking" apply to DNS queries at all? If so, then my query is revealed anyways right?
As a note, I am nowhere near an expert on the specifics of DNS, so some of my assumptions on how things work may be super wrong!