For years my DNS went to whatever my ISP handed out, and when that misbehaved, off to 8.8.8.8. Both work. Both also mean every name my house looks up is visible to, and cacheable by, someone else. I decided to stop forwarding and start resolving. That means running a recursive resolver: a server that walks the DNS tree itself, from the root down, instead of asking a bigger server to do it.
The tool is Unbound. It's small, it's been audited to death, and it does one job. I put it on the same little box that already runs my home services.
the setup is genuinely tiny
The whole useful config fits on a screen:
server:
interface: 192.168.1.2
access-control: 192.168.1.0/24 allow
do-ip6: no
prefetch: yes
cache-min-ttl: 300
qname-minimisation: yes
hide-identity: yes
hide-version: yes
qname-minimisation is the one I care about most. Without it, when you resolve mail.example.co.uk, the root servers get told you want the full name. With it, they only learn you're after something under .uk, and the next server only learns you want something under example.co.uk. The root doesn't need to know my mail server exists. Now it doesn't.
"but it'll be slower"
This is the objection everyone reaches for, and it's half right. The very first lookup of a cold name is slower, because Unbound has to walk the tree where a forwarder would have answered from cache. You feel it for exactly one query.
After that, you're answering from a cache that lives in your house, one hop away, and it's faster than any public resolver could ever be because the round trip is to a box in the cupboard rather than across the internet. With prefetch on, popular names get refreshed before they expire, so the cache rarely goes cold on the things you actually use. In practice the house got faster, not slower.
The other thing nobody mentions: it just keeps working. When the ISP's resolvers had a wobble last winter and half the street couldn't load anything, my lot didn't notice, because my lot wasn't asking the ISP. That alone was worth the afternoon.