This is my DNS resolver setup using knot-resolver and dnsdist, exposing only encrypted DNS (DoH and DoT). It does not log queries and avoids EDNS Client Subnet so client info isn't leaked upstream. QNAME minimization helps reduce what gets exposed during resolution, DNSSEC validation makes sure responses are legit and DNS rebinding protection is enabled too.