I currently use a Pi-Hole to serve DNS queries for my local network. Passive ad-blocking with control over the upstream DNS server using some sort of encrypted method like DNS-over-HTTPS to access that service is a great first step to keeping my network more private.

The next step is looking at the tech upstream of the Pi-Hole a little more closely. There are a couple more pieces of tech that can be used to add additional layers of privacy. The first is using the DNSCrypt protocol to make those requests. DNSCrypt isn't much different than DoH except for the fact that I can make Anonymized DNS queries using the DNSCrypt protocol, which is enough of a difference when it comes to maximizing the privacy of this setup.

Anonymized DNS is a workflow that uses a relay server in between the client (my computer) and the DNS server. This relay can't decrypt my DNS request, however it can hide my client IP address from the DNS server. So by using the relay system I can obscure my DNS requests from the DNS server. Since the relay strips my IP info from the request, this ensures that even if the DNS does log my DNS requests (whether or not they say they do in their marketing) it wouldn't be able to trace those requests back to my IP.

Using dnscrypt-proxy I can configure the relays from this list. This config is then combined with a DNS server that supports the DNSCrypt protocol from this list, at which point my DNS system is about as private as possible without running Tor.

Nothing is perfect, and so, while all of this is fun, Server Name Indication is still sent unencrypted with every web request from my client, so my web surfing activities are still there for the taking if my ISP really cares to log that information. There seem to be some attempts to address this, but it isn't something that has a workaround at the moment.