Pihole is most popular among self holsters. It has nice GUI, it’s capable and its solid. It’s basic in sense of DNS features. You need to use config files to customize from terminal and even then it’s limited.
Adguard in my experience has more advanced blocking features. DNS also allows you little more flexibility like wildcard records. You can have separate config for different clients (like guest/kids network blocking)
NextDNS is SaaS only. It has most advanced blocking features but free account only gets you limited queries monthly. You can choose to keep your logs on specific servers or not to keep at all… from privacy perspective it’s arguably worse because you have to trust another company but it’s a good middle ground. Self hosted still needs upstream DNS but it could be tunneled through VPN which would anonymize traffic. NextDNS is upstream dns and it can’t distinguish internal network source.
I would throw zenarmor to the mix https://www.zenarmor.com/. Paid home license costs 10$/month and allows 3 different profiles. It is more advanced as it sniffs all network packets and not only DNS. It’s not replacing dns. It has great reports/dashboards.
For best DNS capabilities I would recommend technitium https://technitium.com/dns/. It’s free. You have gui, dns blocking and full DNS capability with some advanced plugins. It’s not as fancy for dashboards like pihole or Adguard.
You would use combination of solutions and nextDNS could be your upstream if you don’t mind paying them. If privacy is your thing you want to have more generic upstream that everyone uses like quad9.
Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.
Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.