A personal DNS server provides no privacy. Even if you were using a caching resolver, it would barely even provide any obfuscation.

If you want DNS that is only for you, edit your hosts file.

It can’t be fully secure but you can use a domain or path with a uuid or similar such that no one could guess your dns endpoint, over dot or doh. In theory someone might log your dns query then replay it against your dns server though.

You could also add whitelisting on your dns server to known IPs, or at least ranges to limit exposure, add rate limiting / detection of patterns you wouldn’t exhibit etc.

You could rotate your dns endpoint address every x minutes on some known algorithm implemented client and server side.

But in the end it’s mostly security through obscurity, unless you go via your own tailnet or similar

The article is about running your own DNS server, which is, and must, always be available to everyone. What you are talking about is running a DNS resolver, but that is not the topic.

Run it over WireGuard? I have this setup — cloud hosted private DNS protected by NOISE/ChaCha20. Only my devices can use it, because only they are configured as peers.

You could run it within a Tailscale VPN network. In fact Headscale (Tailscale server) has a very basic DNS server built-in.

I just use a VPN like tailscale or wireguard. You can normally also tell clients what DNS to use when on the VPN

SSH tunnels is a possibility.