As for secure DNS, the best solution is go full 1990 and use the hosts file.
(Yeah, I see that tongue-in-cheek, but I'm on a rampage here, so you get to tag along
)
As I was involved in the development and deployment of RFC 4034/4035 secure DNS, I beg to differ.
I recommend turning validation on.
Further, the people behind Pi-hole are as far as I can tell trying a bit too hard to help.
There is no option to not forward queries to another full service resolver. I think that this is a
very important feature which is missing in Pi-hole. And they sortakinda gloss over the possibility of having the option, by stating that such a forwarder is
required . Someone is wrong on the Internet. Today again.
And, they're using dnsmasq. I can't recommend dnsmasq. Not when the clearly superior
unbound exists. Even before unbound, there was BIND. Which is much better than dnsmasq, but not as good as unbound. (And I'm not even starting to talk about
PHP, a "language" that is banned from my computers.)
Yeah, worsthorse, I'm throwing spanners in your thought process. Sorry. I think you'll be fine using it, but I, being sort of in the middle of it, am setting higher standards for my own systems. A rabbit-hole, as good as any TE one...