Finally got the #DNS locked down at home. I had mis-configured #pfsense to do #DNSSEC verification itself, which disables DNS over #TLS (it would be nice if that was reflected in the UI and not just the documentation). Now the resolver that nearly everything uses works over #DoH (DNS over #HTTPS), and dig reports that my upstream resolver is doing DNSSEC verification for me (it reports ad as an answer flag).

Was finally able to confirm with #CloudFlare’s help page and by checking the firewall state for TCP connections open to port 853.