Re: DNS over TLS
"ISP who hijacks the DNS port wholesale"
You run a local DNS daemon on your own system and direct clients to use it (resolve.conf set to localhost). The local daemon forwards DNS requests out through a secure connection to an external service that uses something other than the standard port.
Anyway, that's the basic theory. I'd have to get my kid's help to actually set it up.