No you don't. If you use DoH or Dnscrypt over a VPN, the DNS provider can't associate the traffic with your IP (mitigating control of sorts).

They can associate the DNS calls with any VPN, too, can't they? If you use one of the 'big' commercial VPNs, I'd seriously doubt any of them are not logging at this point. They'd have already been warned due to 10's of thousands copyright violations originating from their networks, not to mention a lot of not-so-technical users, believing that they're actually anonymous, doing criminal things without realizing that the VPN logs it all.

Running your own Wireguard or OpenVPN on a cloud VPS is no solution, either. It's guaranteed that Amazon, Azure, etc. keep logs of all traffic, and will turn over the associated account without hesitation.

The DNS provider can't know your real IP, the VPN provider can't see your DNS traffic because dnscrypt,DoT and DoH encrypt the traffic.

Is anyone aware of a VPN out there that supports PiHole-like list filtering, so you could get the best of both worlds?

Right now it feels like I have to choose:

- Use my PiHole to block all sorts of content on filtering lists that are useful in cases like blocking unwanted tracking in mobile apps, but my ISP knows everything I access

- Use a VPN, where my ISP doesn't know what I'm doing, but every web service I use can use whatever tracking it wants (except where uBlock is used and such, but you don't get that luxury with, say, Samsung Smart TVs which are notorious for phoning home)

My home network is running a VPN I can access from my phone & computers while away. The home network includes a PiHole that is running DNSCrypt (DNS over HTTPS) with Cloudflare's DNS service.

Edit: so ultimately, you'd be trusting whoever's on DNSCrypt's resolvers list. Better than trusting Comcast, in my situation.

You can do this by picking a VPN provider that supports WireGuard. In WireGuard config file, you can change the dns address to pihole. I did this so that I can use VPN + nextdns together in iOS because I can't change DNS in iOS.

Why do you think a VPN provider is more trustworthy than the ISP?

The ISPs are going to log everything for sure. However I’d probably trust their incapability of putting data into <s>good/evil</s> use, comparing to professionals like google.

Despite the "selling your data" memes, Google/Facebook don't do that. They treat your data as a proprietary asset and sell services based on captive use of it. Companies like Comcast recognize their shortcomings and actually will just sell it.

That's why you should use DoH or DoT if you can

No my upstream is Cloudflare. Weirdly, I trust them.

If you don’t want to trust anyone with your DNS data, you should run Unbound or Knot resolver alongside Pi-hole.

Cloudflare is one of the world's largest networks, and a problem for anonymity and decentralization.