So I tried to install DNScrypt... I got it working, but it always failed when starting as a service. It'd run just fine if run manually, but then I'd have to keep a terminal window open.
Ok, so DNScrypt is out... let's try Bind9. Well, the version we have in our repository is 9.16.1, and in order to do DNS over HTTPS, it requires at least 9.17.
9.16.1 runs well, but Comcast can still do DNS hijacking when you're running it because it doesn't support DNS over HTTPS or DNS over TLS, so there's no advantage to running it.
No problem, we'll get the development PPA repository and install the latest 9.19.8. That'll fix things, right? Well, one of the packages fails to fully install and Bind then refuses to start.
So I'm back to square one as regards DNS encryption.