How to Encrypt Your DNS With DNSCrypt on Ubuntu and Debian - Because all your web browsing is an Open Book Otherwise
The topic recently came up again about whether a foreign (anyone outside of your own country... or actually even in your own country) agency is tapping into or mining data from your phone. The easy answer (my opinion only) is that yes if you are being targeted for something specific and if the German Chancellor's phone can be bugged by the USA, anyone can bug your personal phone) but no, they would not go to the trouble for each phone if they are scanning masses of data for patterns or vulnerabilities.
The easier way is to spend some effort on hacking a treasure trove of information that is more publicly accessible. So think DNS (domain name lookups) for all sites you and everyone else visits and these are in open text (usually), or hacking Facebook (or just spending money and buying private data from Facebook or similar), or hacking a major ISP where thousands of people's data pass through every day. They go where they can get the most information for the least effort. That's the plain economics of hacking.
DNS (a very old Internet technology) is but one area where you can tighten things down yourself and create less exposure externally. If say a foreign (or local) power wanted to identify everyone who visited the Jolly Roger Website they could either hack the Jolly Roger Website and try find out who arrives there, or they could scan network traffic via major ISPs and see who visits the site that way. The nature of Internet traffic is that for information to travel back to your computer from any site you visit, means that every packet you send out from your computer also contains your "return address" for that information to reach you (much like posting a letter where you put your return address on the outside at the back so the letter can get back to you if it is undelivered - everyone sees that address).
So all encrypted DNS is doing, is to "put everything inside the envelope". But it is still not 100% secure as the postman (or "person" - the encrypted DNS server) does have keys to open that envelope to read the addresses otherwise they cannot deliver it and return the data, but no-one else sees it while en route.
DNSCrypt encrypts your DNS traffic automatically and sends it to DNS servers that also use encryption. This way, the entire transaction remains encrypted throughout. Not even your ISP will be able to see where you're browsing. DNSCrypt is actually one of the easiest services that you can set up on Linux, so there's really no reason not to use it.