We also have an article on securing DNS traffic on clients (part of our home network security series):
Didn’t Google DNS support DoT (& DoH) in January or why do you say they are unencrypted?
Yes, they support it. However, the default configuration file for Google DNS provided by Turris OS only contains the unencrypted version. So, most Omnia owners don’t have a configuration file for it. You could create custom configuration files, of course.
From my experience in the GFW, dnscrypt, DoH, and DoT can protect me from DNS hijacking/contamination. DoT might be at more risk of being detected, since it uses a special port.