From what I've read since posting that question, it looks like DNSCrypt is a little better.  But this new thing is supposedly supported by default by OpenDNS already due to using TCP on port 53.  Dunno if that's true, but random internet guy said so.

Well, I don't take the word of random internet guys unless they can refer me to something that backs up their claims.

It's entirely possible that Google's protocol incorporates DNSCrypt or is compatible with it, but I can't see OpenDNS (or Cisco) explicitly supporting it or changing things to support it while it remains a Google only protocol.

Frankly, this is the first I've ever heard of this protocol, and I can't see the point in it if it's only for Android. I have many other types of devices I need to support, and I'm not going to use a different one for each type of device.

"using TCP on port 53"

Every DNS service in the world supports TCP (and UDP) over port 53.  They must, because a UDP packet could not hold the complete message, so a "fall-back" to TCP is needed.  OpenDNS supports also UDP and TCP over ports 443 and 5353.  And it supports DNSCrypt which can be used for UDP and TCP and for all ports, 53, 443 and 5353.

A follow up to this. I was just listening to this weeks episode of Steve Gibson's Security Now Webcast (#634) when he talked about this for a few minutes.

It turns out this was ratified by the IETF as an RFC in May of 2016. The default protocol is 853, but it doesn't sound like anyone has released DNS servers or clients that can make use of it. Apparently Google's version is only in beta code for inclusion into a future Android release.

Essentially the same functionality as DNSCrypt, though it sounds like it might be suscpetible to Man In the Middle attacks if the client has not previously communicated with the server in question. I don't know how that compares to DNSCrypt.

In the future I suspect OpenDNS might add support for this, or potentially DNSCrypt will be updated by dnscrypt.org to incorporate or be compatible with this protocol. Or perhaps even deprecated in favor of the RFC standard. If DNSCrypt is changed I'm sure that at some point OpenDNS will support the newer version.

Basically, nothing to be concerned about right now. If you want privacy (encryption) of your DNS traffic today, you should use DNSCrypt.

It is unclear if DNSCrypt actually encrypts the DNS traffic or just prevents MITM. I'm afraid only the latter may be true. If so, it demonstrates the need for something better which does both.

From https://en.wikipedia.org/wiki/DNSCrypt :

> DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks.

From https://dnscrypt.info/ :

> DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing.

There is no mention of any encryption! Now it could be that version 2 of the DNSCrypt protocol implemented encryption, but I'm not sure. I need to also prevent my ISP or a MITM from reading my queries, not just from modifying them.

Like other solutions, it just prevents MITM. A VPN is safer.

I waited long enough already for DNS over TLS... I moved to Quad9's today at last: I am at least retaining malicious domains blocking....

PFSense's DNS resolver is actually using Unbound, so it was ridiculously easy to configure in my case (src: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html ). 

I would have probably stayed with OpenDNS, if native support for DNSCrypt had been possible with PFSense... I'll revisit OpenDNS from time to time, see if they have finally embraced an IETF proposed standard. PFSense dev team will probably never offer DNSCrypt-Proxy has a supported package.

So is OpenDNS going to support DNS over TLS in the future ?

Maybe, but would you also be ready to support it from the client side?  I.e. would you be able to use it?

309368103 yes I could use it at this moment as we are speaking.

Well, then you possibly can support DNS over HTTPS or DNSCrypt instead of DNS over TLS.

DNS over TLS is a IETF standard and this is a serious advantage.
In my opinion and what I have read, DNS over HTTPS is a bad choice as it camouflages dns queries as web queries, it is a ugly hack.
DNSCrypt is created by OpenDNS and it is not bad, but still as Dns over TLS is newer it is better as it gets some things better done then DNSCrypt.

I want to believe that OpenDNS will also implement the standard and leave the choice to the clients which protocol they want to choose.