At a minimum, my ISP can not see or tamper with DNS requests. My VPS nodes are multi-purpose so it isn't really extra cost.
This also gives me the capability to intercept some of my traffic and route it over my VPN using a combination of haproxy and squid. I can do this by source PC, or by destination, or protocol, or any combination thereof.
For me, this has worked great for years and gives me a lot more flexibility, options and control over my data flows. If I want more privacy, I can use my existing tc cbq QoS and rate limited rsync's of random noise to hide some traffic patterns.
Are you encrypting each DNS packet at the source (e.g. your home recursor/DNS-forwwarder)?
If yes, when are your sent packets decrypted? At the authoritative nameserver, or at some intermediary recursor?
If no, how do you believe that your DNS packets are opaque and tamper resistant?
There are very few authoritative nameservers on the internet that accept and return encrypted DNS packets. Thus third party recursors must send out unencypted DNS packets. Nothing protects these unencrypted packets from being captured, viewed or tampered with.
It sounds more like you are creating a chain of recursors (that you control?) to make tracing the requests more difficult.
If you are using any third party recursors are you concerned about applications you use that implement support for ends-client-subnet extensions?
From there, for sure, the risk increases. I am not sure I trust DNSSEC to help me much. That said, I rotate through many local recursors at each location, so they have to rewrite my traffic right as it leaves my node. That is doable, but that isn't really what I am defending against. Anything I care about, I validate in a script and write into /etc/hosts.
You are correct, there are not that many recursors that support TLS.
Beyond that, things like software updates I don't trust DNS at all and certainly not public mirrors. I validate packages with GPG signatures. Even that is tricky, because chicken+egg, so I validate the GPG sigs from trusted sources.
On a funny side note, you would be surprised how many people rely on trusting GPG keys that are contained in a package, signed by those same keys, in the same repo.
OP is "creating a chain of recursors (that you control?) to make tracing the requests more difficult"
but also, as a result less difficult to tamper with by a less trusted party such as a mass market commercial ISP - tampering with his forwarder would entail either tampering with random many other peoples traffic or compromising the 'percieved as more secure' ISP.
Pretty sure someone mucking around with TTL's on these packets to make sure they don't get too far out of intended range and the numerous other things would be aware of these issues..
You could use the other github scripts that folks have linked for setting up the VPN. Then you would want to set up recursive DNS servers on your home router and VPS nodes. Then look into iptables mangle to intercept DNS, NTP, etc. HAProxy L4 vip on the router is an easy way to forward some web traffic to Squid running on multiple VPS nodes. Squid has an intercept mode you can use for any traffic you want to throw at it. Unbound DNS can override min-ttl and allows overriding partial or complete DNS zones for block some shenanigans. Calomel.org has some articles on some of these things.
It's probably even better if you research each step yourself so that adversaries have to work harder to generalize attacks around your configuration.
I love HN