https://docs.pi-hole.net/guides/dns/cloudflared/
I use pihole+cloudflared to translate all DNS requests on my LAN to DoH requests. Regular DNS isn’t permitted to leave my network. (port 53 outbound is blocked)
Can’t redirect/modify/monitor DoH requests like you can plain DNS.
I host my own vpn from home, which keeps me behind my pihole(s) and able to access my private services without exposing them to WAN.
Also secures my mobile traffic from snooping/modifying while on public networks.