As we all know, companies and governments track user's activities
online. One strategy for doing so is via dns, an unencrypted protocol
by default - allowing anyone to eavesdrop.

Two strategies for reducing the number of eavesdroppers is using
encrypted dns and avoiding corporate manageded dns providers (google,
cloudflare, your isp, etc). (NP these corporations run most of the
internet are nigh impossible to avoid - pick your battles).

One tool that makes this remarkably easy, as I just discovered, is
using unwind on openbsd - a part of base as of 6.5. what makes this
tool particularly easy is that it is designed to run on localhost,
and on mobile platforms like laptops with varying networks. It
automatically detects when it is running behind a "captive portal"
so you can login to random wifi networks without changing your setup
manually, and then switches back to preferred name servers.

It also defaults to using dns over tls, which is nice.

An alternative I've discovered is that tor is often not blocked on
most networks so dns resolution can be provided over the onion
network.  It is then impossible to correlate which dns queries
originate from which client.

Perhaps it is possible to marry unwind over tor, we shall see.