Although there is an experimental implementation of DNS-over-TLS through the use of Stubby, official support coming to Pi-hole would greatly enhance the privacy aspects of the Pi-hole. DNS-over-TLS is in essence an encrypted tunnel through which the DNS-requests are send. Man-in-the-Middle (MitM) attacks on this traffic would result in captured encrypted data.
DNS-over-TLS (port 853) is not to be confused with DNS-over-HTTPS (port 443) and DNSCrypt (port 53). DNS-over-HTTPS is something that is supported by Google DNS, but just as DNSCrypt (supported by OpenDNS), it ain’t a formal standard (RFC). DNS-over-TLS is an official standard and it is supported by Quad9 (220.127.116.11) and Cloudflare DNS (18.104.22.168).
Out-of-the-box support for DNS-over-TLS is therefore my feature request :).
All DNS lookups to DNS-servers higher up in the chain are all not encrypted. Hence this invades privacy, because anyone can sniff out to which site you are going. Not the url, but in many cases the domain-name itself surrenders enough data to build a profile.
I have read the following guides, but as there is no formal support yet I do not want to adjust my daily-Pi-hole-driver yet.
But see also these pages from DNS-resolvers.