This is patently false, as Paul Vixie, who created DNS, clearly owns one.

I own one and have bought three. Cloudflare DNS for me (via a Pihole).

You have to masquerade at your router. Or at the vpn. For example https://ba.net/adblock/vpn/roku-chromecast-fix.html

Thanks.

are you internally masquerading 8.8.8.8 to 1.1.1.1?

I just pointed the Pihole at 1.1.1.1 and added 8.8.8.8 to the block list. The Chromecast works fine with it. Not sure if the Pihole does something clever though? I’m very sure that the Chromecast does but I can see it’s traffic on the Pihole.

Not really, before you could firewall it off from the rest of your network - though now you can just masquerade 8.8.8.8 and 8.8.4.4 to your DNS server of choice

I run an OpenBSD router with PF:

pass in quick on { $lan $wireguard } proto udp to { 8.8.8.8 8.8.4.4 } port 53 rdr-to 192.168.2.1

Locally I run Unbound for caching, local dns zones and ad/malware domain blocking[2]. I have a DNS forwarder in Unbound configured to a local Stubby[1] instance that does dns over tls to Cloudflare.

Having done "big data" contract work for the largest telco in my current country of residence who are some of the worst skilled people I have ever work with, your local ISP is highly likely abusing your DNS history profiling your household for various questionable things just as much as Google. At least with Cloudflare they have a clear privacy policy[3] and I have faith their technical skill to anonymize data and use it can't be as bad as my ISP.

[1] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+... [2] https://github.com/StevenBlack/hosts [3] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...

Until Google implements DNS over TLS and does cert checking.