DNSSEC Resolvers and Browser Validation
DNS Hijacking has become a more common tool in the hacking bag of tricks, and your OS and Browsers tend not to let you know where the site names are being fetched from.
Many people swap their DNS resolver from automatic (your ISP) to Google 126.96.36.199 and 188.8.131.52. to improve their speed of fetching Domain names, but often they are not as fast as ones situated closer to you.
Google does use DNSSEC, but you can also be sure that Google are logging DNS requests.
Normal DNS lookups are not encrypted or validated, so can be read and changed during the trip between you and the DNS.
DNSSEC and DNSCrypt together add validation and encryption.
You must have a DNSSEC resolver set as your DNS for each network device you are connecting to the "internet" with, not a network "Intranet".
You can either use DNSBenchmark to find your fastest/closest DNS with DNSSEC, and manually add 2 or more to the network config.
Preferably install the DNSCrypt proxy and pick the closest OpenDNS to you that shows "DNSSEC enabled" and "No-logging".
Currently there are over 100 DNS to choose from.
(Linux, Windows, MacOS, Android, iOS, Routers with custom ROM ability)
Reference and Downloads
(Yandex browser now has DNSCrypt built-in. Demand the same for Vivaldi)
Unfortunately many sites using HTTPS are not configured to use DNSSEC validation.
DNSSEC/TLSA Validator browser extension will check for the existence and validity of DNSSEC signed DNS records of any HTTPS site you visit.
Alternative DNS can be added in the extension for comparisons.
(Chromium, Firefox, Internet Explorer, Safari)