its official implementation is the best. it has cache, logging, blacklists, whitelists, custom forwarding, etc.
there're only two issues: it's harder to implement (as opposed to just using tls / https libraries) and its creators don't have the political power of cloudflare, mozilla and google, so it won't become an ietf standard
i read about unbound a little, kinda disappointed. there's no dedicated whitelist file, but you can add a lot of rules to not resolve individual domains. so afaiu you can't make whitelists.
turns out, dnscrypt-proxy is quite an advanced resolver
I've been using it for a year and never had any problems
It also has option to do anonymized DNS queries: https://github.com/DNSCrypt/dnscrypt-proxy/issues/960
@leip4Ier my home network has dnscrypt-proxy running in the router for the whole network. An amusing side effect is that after the cache starts to fill (which doesn't take much time) it tends to be faster (that is: less latency) that our ISP's DNS servers. That being said, now that I think of it I have rarely seen an ISP have speedy ones...
A Mastodon instance for info/cyber security-minded people.