For anyone running on Android 9 (edit) or later, navigate to
Settings -> WiFi and Internet -> Private DNS
Select Private DNS provider hostname
Add dns.adguard.org (DNS over TLS)
Visit https://googleads.g.doubleclick.net/ and you should see browser's 'Server not found' instead of Google's (disable existing ad-blockers or they might jump in and block the URL anyway)
For anyone on Android 4.0 or later, consider using Google's Intra  to use adguard DNS over HTTPS, if you prefer it over cloudflare's or google's.
Open the app, click on Settings.
Choose customer URL and paste: https://dns.adguard.com/dns-query
Be sure to 'lock the app' to prevent it from being killed in the background.
I already use Ad Blocking on my personal phone (LineageOS + AdAway) but my wife's phone is still stock Android and without an Ad Blocker. Intra + AdGuard just fixed that. Goodbye pervasive tracking
Perhaps more important is that the project is also open source: https://github.com/Jigsaw-Code/intra
Encrypted SNI is a thing on the horizon that'll let us give the dual middle finger to our ISPs. As far as I know, it is not here now though.
This is why I implemented WireGuard on top of it. All the traffic is encrypted through our home network (200/20 mbit) with DNS over TLS and adblocking due to Pi-Hole. LTE, open WLAN networks, all of these work. And roaming works very well with WireGuard. The downside is the 20 mbit upload.
Curious how you set this up? I see cloudflare as an option in the pihole settings but doesn't appear to be encrypted? (at least as a default)
It turns out lots of things will resolve anything that looks vaguely like a hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These queries get passed to your ISP, and then on towards the root name servers. So if you run a large nameserver, you quickly find that most of your DNS queries are very obviously rubbish.
With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between these two names, I guarantee there is no valid records". Thus if your nameserver supports this, it can say "there are no valid names between .pccw and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3 records can both be cached and your resolver can synthesise NXDOMAIN records for them. (See RFC8198 for details).
So, instead of spraying queries for "untitled.pdf" across the internet, you can quickly, and efficiently return NXDOMAIN.
Another cause of these is search paths, when you look up "news.ycombinator.net", if that resolution fails, it will try adding the search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and filenames to everyone in your search path.
If you actually value your privacy, this is the first step that you should take.
It's a fairly simple exercise in content DNS service. I actually set my machines up with a root content DNS server each.
Search paths are a subject in their own rights.
Doesn't solve for cases where it's a valid TLD, but the domain doesn't have a valid DNS record. Guess it would depend if the TLD in question is publishing said dnssec record.
I found that pihole did too much so wrote my own. I dont think it has any users, except in my house but it seems to work
Downside: Battery life takes a slight hit due to encryption.
DO will forward those torrent scare / spam server abuse emails ASAP, so they won't be good for that kind of stuff.
The thought is, Who do you trust more with your traffic data? Your ISP or a VPN provider? (In this case DigitalOcean)
Perhaps this has happened with DO and Apple have blocked its host address ranges from the API due to unwitting past involvement in hack/DDoS attempts?
This is common with public VPN services that people I know have used. I have the luxury of fixed addressing and decent bandwidth at home, so I run my VPN there and have thus far not noticed any such issues. This also means that services that are location sensitive work as if I'm at home (not some random other place the VPN endpoint appears at).
I also keep nginx to avoid pinging Apple or Google for checking if internet works (captive.apple.com, http://connectivitycheck.gstatic.com/generate_204 are re-routed to my own server).
Finally it is incredibly simple to use nginx to serve DNS-over-TLS from your own machine (so from my dnscypt-proxy) for using on Android Pie. Works on mobile as well. 
Admittedly not got it working on android yet but I'm under the impression that there is a way of getting Wireguard working on android
Disclosure. I work at ba.net
Notable differences between it and Pi-Hole:
1. Easy to set up and use. It's just a single binary, everything you need is inside.
2. Supports every DNS encryption protocol out-of-the-box: DNS-over-HTTPS, DNS-over-TLS, DNSCrypt.
3. Can run on any platform (even on Windows since today).
For one, it seems like the wrong tool for the job. Filtered content can simply switch to identifying content by IP address instead of DNS, correct? Or change DNS constantly.
And for two, of course there are concerns with handing someone your DNS queries in return for filtering...
The NYT could serve their ads from NYT servers instead of nagging you to turn off adblock and continue with their 3rd party ad providers.
So they are not doing that, so I doubt cirumventing DNS adblock will be something that they will care much about either.
People have been blocking stuff for decades now, and we know what the responses to some of the initial moves will be, because the world has already gone through the dance.
If you're not using DNS over TLS or HTTPS, I suggest you start right now.
If you're undecided abt DNS based adblock, consider reading this blog post: https://www.troyhunt.com/mmm-pi-hole/
I wouldn't use a third party service for that, preferring instead to use pihole.
Correct, but probabaly better then to give it to Google or your ISP for free!
Giving some unknown company the ability to trivially man-in-the-middle your connection or sell your browsing history is pretty scary. The fact that their code is open source helps a bit, but there's no way to tell whether the code running on their servers is the same as on github.
I'll stick with my pihole/hostsman 
So this is not for everybody.
The code for their DNS servers is actually open source, so if you want the functionality without relying on AdGuard you can run your own server.
That's not to say the cost is zero, but with with multiple caching layers (O/S, browser, router, etc), and serving same results for everyone, server costs are not very high.
Edit: Apparently it is. https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-wi...
My main questions are
How do we know if we can trust them with our data?
How fast are they compared to Cloudflare ?
I wish there was something like Signal but for DNS. Similar in the way that you don't have to trust them to know they are not doing nefarious things with your dns queries.
I know I can install Pihole in my home network, but I want something that works on every network
That would not be in their best interest, I'd imagine, as CF probably hosts loads of sites you'd want to filter.
I didn't see anything in the announcement about logging or other privacy related questions. The FAQ also didn't list this information.
The only thing they mention about privacy is how a dns request to them is protected, but not what they do with the data.
Did I miss something?
>We do not collect anything for tracking purposes and take all necessary technical, administrative and physical measures to protect the information we get.
>When AdGuard DNS user tries to visit a page, our server receives following information:
DNS request which contains domain name.
>The DNS request will be forwarded to a root or authoritative DNS server, but for the upstream server it looks as if this request is originated from AdGuard DNS server, there is absolutely no way for them to identify the original user. We, in our turn, do not log or save any of this information.
Prior to this, I was running Intra  on my Android phone to route all DNS traffic to cloudflare-dns and had been pretty happy to use it in tandem with PrivacyBadger, uMatrix, and uBlockOrigin on Firefox.
Someone suggested using AdAway  on rooted devices and another app that does a similar trick of running a local VPN on Android through user supplied hosts file. Great alternative.
We embed ECS data in our requests at DNSFilter to the authoritative upstreams, and we have a large global anycast network, so even if they're not accepting it, the answer is coming from a server 'nearby' the originating dns request, so CDN requests shouldn't be affected much.
Local solution. I remember this url from memory, "install" on every device/router I touch.
The correct technical solution for privacy is running your own DNS server locally.
> We will never sell your data or use it to target ads. Period.
> We’ve retained KPMG to audit our systems annually
The ISP can still see requests the local DNS server sends to the Internet
As mentioned in some other replies here, you can use vanilla DNScrypt  or cloudflared , or Pi-Hole with either one enabled, etc.
Private infrastructure for the win.
Some mentioned trust,for me support for dns ovet https is much more important since I'd be using it over a VPN anyways. And for those thst dont,NAT and inability to correlate DNS lookups with actual (especially encrypted) traffic makes privacy a less significant concern for me.
It does not just protects your privacy, but improves your bandwidth too.
Troy Hunt wrote about it a couple of months ago: https://www.troyhunt.com/mmm-pi-hole/
Edited to add: But I like the idea.