DNS is very leaky no matter where you run it, unless you run DNS over HTTPS (DoH). Full stop.
I’m no fan of DoH because it scales poorly. Nevertheless, a combination of Tailscale (or tailscale-like securort overlay mesh network) and an in-mesh DoH DNS relay going to be more secure than most other setups. Relay the DNS out through Tor at your own (performance) peril, but that’s going to he very secure.
I’m not a practitioner of this method, but it’s how I would approach it if I needed to.