irk428
Private DNS or using a VPN is really the only way you can avoid using local network DNS servers with a fairly automatic setup. Private DNS will push all your DNS queries over encrypted DNS-over-TLS and only use network DNS to find that hostname of the DNS provider you specify, a VPN will generally have it's own DNS specified once you connect to it so you have the same situation of network DNS only being used to connect to the VPN and everything else goes over it afterwards.
For something less conventional I found I can run a WireGuard VPN on my home OPNsense firewall and instead of forcing all internet traffic through the tunnel I'm only using it for access to my local network including the Unbound DNS server it's running with block lists. Specifying my home network DNS server in the WG settings does appear to be forcing all DNS traffic over the tunnel but nothing else.