I run Pi-Hole in Docker and connect to it via WireGuard. I then use a forwarding DNS server which catches all DNS requests and uses DNS over TLS. Hardware used: EdgeRouter-Lite. Results: slightly higher latency, obviously, but no ads and secure DNS traffic and secure traffic regardless of where my client resides or over which network. I also use LineageOS with microG which doesn't implement Google ads in the first place, and Firefox + uBlock Origin just in case. uMatrix is good, but too much of a hassle to configure IMO.
