DNS - aka how we locate the server addresses on internet is one of the weakest links of privacy and security. This is often used by the ISPs and others for DPI (Deep Packet Inspection), censorship and various types of traffic shaping.
The DNS system is generally a UDP traffic send to port 53 of various DNS servers. Named seems to the the major DNS server used everywhere. Recently much attention is provided on how to encrypt the DNS traffic. Perhaps the first such effort was from OpenDNS with DNSCrypt. There are numerous servers which provides DNScrypt now.
Encrypting DNS traffic
client -----> DNS server
The traffic can be easily encrypted preventing someone like an ISP to track and log the DNS queries and use the same for say ad-targeting.
For a fairly advanced user on both MacOS and Linux, its quite easy to setup the DNS encryption using DNSCrypt-Proxy.
DOH aka DNS over HTTPS
In the recent times, ie in 2019 Mozilla Firefox entered news for activating DOH. This itself shows much the DNS is exploited right now. Its a fairly simple mechanism where DNS traffic is sent encapsulated as encrypted HTTPS traffic making it difficult to trace. Well, the SNI aka Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication_ ) could be a deal breaker - and honestly I am not well aware of how SNI impacts DoH.
How to ensure secure DNS ?
While this is in no way a 100% secure mechanism, enabling DoH in Firefox and other browsers that supports it a good starting point.
Zdnet has a detailed article on enabling DoH : http://web.archive.org/web/20190927221427/https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
A better mechanism
A safer, more efficient mechanism is to setup a local DNSCrypt-Proxy to both speed up the DNS & secure it even further.
An excellent how-to on the topic is below.
First DNS query of the day / TTL period:
;; ANSWER SECTION: slashdot.org. 599 IN A 18.104.22.168 ;; Query time: 53 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Oct 06 19:14:03 IST 2019 ;; MSG SIZE rcvd: 140
Second Query, yay! zero milliseconds
; ANSWER SECTION: slashdot.org. 473 IN A 22.214.171.124 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Oct 06 19:16:10 IST 2019 ;; MSG SIZE rcvd: 128