Most ISPs run caching resolvers. Or you can use OpenDNS or the Google’s DNS servers. Some home network gateways run some lightweight version of such server as embedded. Or you can run your own, to be sure (and to be able to selectively block or redirect domains); it’s a handy tool.
Won’t 100% protect portable devices that connect to unknown networks (though you can run your own caching resolver on those ones, too; easy on a laptop, should be possible on a rooted android with just a bit of pain if it does not already exist as an app).
Should be good enough for things on a local LAN. Could be attacked by a hostile machine that disables/DoSes the LAN’s DHCP server and takes over the DNS (or does ARP hijack or so), though, if it already gets to the LAN - but then you are likely to already have a bigger problem.
The third-party resolvers should be testable by running your own authoritative DNS server for a subdomain (which can be as simple as a short script that spits out precrafted fragmented packets with too big payload, I did (well, improved some German guy’s code) something vaguely similar in Lua for ESP8266 to redirect all DNS queries to the module’s IP)), and then check how the domain resolves and if the bad stuff gets through.
