Jim Nitterauer has an excellent presentation covering the many ways that DNS can leak data and on some mitigation tactics.
CloudFlare recently released an app for Android and iOS that makes it easy for users to encrypt their DNS queries using CloudFlare’s 18.104.22.168 DNS resolver.
For once, I’m really not sure what the point is of a security tool like this. One of the criteria for using the 22.214.171.124 app is you need to turn off any VPN you have activated. But I’m not really certain what the use case would be for wanting encrypted DNS but not a VPN.
Personally, I use ProtonMail’s VPN on my phone when I want privacy from the local network operator. There are issues with Proton, but it’s security is more than good enough for anyone not concerned about state actors in their threat model.
Mozilla’s Lin Clark has a cartoon guide to DNS over HTTPS that . . . well . . . bottom line, there is no way to talk about DNS over HTTPS without getting fairly technical (one of the subheads on Lin’s lengthy pice is “What isn’t fixed by TRR with DoH?”) but this is probably as close as anyone is going to get.