Ever since my service provider started injecting data to replace DNS "lookup failed" messages (so that your browser showed one of their ads), I've been looking for a means to avoid using their DNS servers. Initially, it was easy. I just used a different forwarder. The ads returned when my service provider started intercepting those (my guess: via a dnsmasq variant).
This was an issue because I monitor a number of DNS entries for friends, family, and customers (as well as web server front pages and other network services). My service provider removing all "lookup failed" messages, and intercepting outbound queries, limited to what I could watch for via DNS queries.
The next step in this DNS arms race appeared to be dnscrypt-proxy. By default, it encrypts DNS queries and sends them out over port 443, to OpenDNS's name server (which also "speaks" dnscrypt). Note: you are able to change both the port and the name server, if needed.
I've added notes to the wiki for adding dnscrypt-proxy to the Raspberry Pi, including a start up script, using the code from Git Hub (vice the distributed tarball), and getting it to work as a forwarder for BIND9.
There were two drawbacks that I discovered. One is: my service provider has since discontinued the practice of injecting ads into DNS queries, while OpenDNS has taken up injecting their search page info into DNS failed-query responses. The other is: there is an issue with DNSSEC. While dnscrypt-proxy supposedly does work with DNSSEC, OpenDNS currently breaks it.
If anyone knows of a "trustable" public DNS server that works with both dnscrypt and DNSSEC, and doesn't inject traffic, please let me know. In the mean time, I'll continue to use the tool with OpenDNS, 'cause their service has other features that I like having (e.g., filtering of objectionable web sites).