DNS got fragmented in the 2020s: encrypted by default (DoH/DoT), centralized to a few providers (Cloudflare, Google, Quad9), and increasingly captured by browser-resolver bypass of the OS. The infrastructure looks superficially the same but the trust model is very different.
DoH vs DoT
DoH (HTTPS): looks like web traffic, hard to block, default in Firefox/Chrome to Cloudflare/Google. DoT (TLS over port 853): cleaner, easier to filter (good or bad). Both encrypt; both centralize.
DNSSEC — under-deployed
DNSSEC signs records so resolvers can verify integrity. Solves cache poisoning. Adoption: ~30% of zones. Most websites don't bother. Browser-level DoH bypasses DNSSEC verification entirely.
Centralization concerns
Cloudflare, Google, OpenDNS see most DNS queries from their resolvers' users. Performance benefits real (anycast, fast); privacy and resilience trade-offs less discussed. Operate your own resolver if you care.