@VMlabman throw some info at you - why resolving is better than forwarding ;)
When you forward, your at the mercy of that site to be up.. While they have very robust networks, and they shouldn't be going down.. They can and they have. At least in some parts of the world.
So you can try and mitigate that causing you issues by forwarding to more than 1 service. But if these services filter, you run into the issue where service X filters A, but service Y does not - which one are you going to be using at any given time? So maybe some site it filtered, or maybe its not? You can have different results handed to you based upon which NS you actually talked to in their vast anycast network that might hand you different IPs that may or may not be optimal for where your at..
When you resolve, the whole freaking internet would have to be down.. For your dns to be down. If the roots or gltd servers are down - the whole internet is down.. Doesn't matter what service you might be using for your dns.
I just don't get the advantage of handing over all of my dns queries to some service.. They might provide some good filtering, sure ok - no thanks I can do my own filtering thank you very much ;)
I will resolve, and talk directly to the NS for the domains I am wanting to go to.. I have no need or desire to hand over ever single dns query I do to some service.. What is better for privacy, while you might hide your dns from your isp, your just handing it over to someone else on a silver platter.
And like you discovered, sending your dns via encryption to some services doesn't actually hide really anything from your isp. They for sure know where your going by IP and port, and they also can very simple grab all your sni info.
if you are concerned about isp knowing where your going - you need to encrypt not just the dns, but the data flow as well.