Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to.
To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).
The fast, free, privacy focused 1.1.1.1 resolver supports DNS over TLS (DoT), which you can configure by using a client that supports it. For a list of these take a look here. DNS over HTTPS can be configured in Firefox today using these instructions. Both will ensure your DNS queries remain private.
DNSSEC allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be.
Put another way: DNSSEC proves authenticity and integrity (though not confidentiality) of a response from the authoritative name server. Doing so makes it much harder for a bad actor to inject malicious DNS records into the resolution path through BGP leaks and cache poisoning. This type of tampering can allow an attacker to divert all traffic to a server they control or stop the encryption of SNI, exposing the hostname you are connecting to.
Cloudflare provides free DNSSEC support to everyone. You can read more about DNSSEC and Cloudflare at https://www.cloudflare.com/dns/dnssec/.
TLS 1.3 is the latest version of the TLS protocol and contains many improvements for performance & privacy.
If you're not using TLS 1.3, then the certificate of the server you are connecting to is not encrypted, allowing anyone listening on the Internet to discover which websites you are connecting to.
All websites on Cloudflare get TLS 1.3 support enabled as default - you can check your setting at any time by visiting the crypto section of the Cloudflare dashboard. To read more about TLS 1.3 visit https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/
As a website visitor you should ensure you are using a browser which supports TLS 1.3 today by visiting this page and choosing a compatible browser.
Encrypted Client Hello (ECH) is an extension of the TLS handshake protocol that prevents privacy-sensitive parameters of the handshake from being exposed to anyone between you and Cloudflare. This protection extends to the Server Name Indication (SNI), which would otherwise expose the hostname that you want to connect to when establishing a TLS connection.
ECH is not yet widely available for web services behind Cloudflare, but we are working closely with browser vendors on the implementation and deployment of this important privacy enhancement for TLS. Read more in the blog post introduction to ECH and our more recent update on the process of making this protection more widespread.