This is controversial because they are "big bad" companies. But in some cases I think that is a plus because they have some responsibility to do as they say.
- Use a resolver that is a part of Mozilla's Trusted Recursive Resolver Program. Mozilla makes them agree to a solid privacy policy: https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers
- Google DNS. Obviously controversial but their privacy policy is very good. They keep "full" logs for at most 48 hours and only for debugging purposes.
The major concern for all of these is that they are allowed the keep anonymized logs forever. This means that if the hostname itself it sensitive then it can be recorded forever. (For example if you have "secret" subdomains).
The other option is running your own recursive resolver, this mostly nullifies the private subdomain issue as only the authoritative server will see it (other than network snoopers) however this has very real downsides.
- It exposes your IP address to many authoritative servers with no guarantees about the logs they keep.
- It can be slow as there is no shared cache.
- Requests from your resolver to the internet are not encrypted.
Disclaimer: I used to work at Google (but not on Google Public DNS) and have no affiliation with other named or referenced companies.