I understand what your saying, but don't fully agree on the privacy part. At least it keeps my nosy ISP from keeping a tap on my DNS queries and it validates lookups. Having said that, OpenDNS, nowadays owned by Cisco (which is not particularly a non-dominant player imho) still offers no support for DNSSEC, as far as I'm aware, yet fully supports DNSCrypt (which they introduced) and webbased content filtering. Using Cisco DNS is fully anonymous, unless you decide otherwise by creating an account to personalize your content filtering settings. There are ways to opt-out of non-anymous data collection, based on new legislation, but I feel no need to do so myself, as that's the consequence of enabling OpenDNS stats.
It's really hard problem to solve, and the DNS and cloud community would really like to solve it.
It's really hard for folks to understand, esp in these days of the "cloud" and hyperscaling, with microservices and what not - to keep services up and running, they generally will fail open if things don't work.
This problem probably exceeds the scope of this thread...
To the comment about "keeping my ISP from keeping a tap..." - hate to say it, but guess what, they are, and have been for some time - DNS is only one item, but they can and do extract everything going across their network - so yes, the lookup may be "masked", but when they start seeing a bunch of traffic from "some inappropriate to some" website, they know the source and destination... and we won't going into carrier grade deep packet inspection tools and technologies that the operators use. When I was in carrier space, we generally used this for analytics and traffic shaping, but even with tech like DNSCrypt, DNSSec, SSL over HTTP, we can monitor and block traffic at a general or even down to a single user level...
(if that sounds scary - yes, it is, and yes, the ISP's have that capability, in many countries it's a regulatory requirement - goes under the name of Lawful Intercept, and in the US, it's covered by CALEA)
And that's at the carrier level... when we look at state level assets, like the GFW and others - that's an order of magnitude of capability that even the big players on the internet cannot compare to. As an example, the GFW knows everything that passes thru it, so folks using VPN's or other things like ShadowSocks, they put up with it, until it reaches a level where things are no longer politically acceptable.
There are seven layers in the OSI stack - any ISP worth their salt is tracking all of them, logging some for general purposes for performance reason, and logging all if one is a "person of interest" - put all the pieces together, a picture forms for anybody on the internet. And we won't talk about "little brothers" like Facebook and other social networks, or the dark cloud that is matching metadate to known user profiles that have been nabbed via big data breaches.
We're in a world of Big Data, AI, and Machine Learning - using DNSCrypt or DNSSEC, or TOR/VPN - you're not going to compete against a motivated ISP, Little Brother, or a State Agency -
there is no privacy...
Best thing that DNSCrypt or DNSSEC can do is validate the lookup for a host from your client, but even then, it's not a given - scary word in DNSCrypt is the word DNSCrypt-Proxy - that means all bets are off...
And those that consider VPN providers or whatever - "we don't keep logs" - yes they do - metadata is what it is - some try to break the puzzle into pieces, but your ISP has all the parts, and the info and analytics let's them do it in a fairly easy manner...
Just calling it as it is - that DNSCrypt or DNSSEC can protect your privacy, it can't, there are ways...