I'm running https://crates.io/crates/doh-proxy on my Pihole for DoH access (with an nginx frontend for TLS, though that's not necessary of course). You can just plug it into Firefox and it'll work.
With nginx in front you can put a stream {} block to proxy pi.hole:853/tcp to pi.hole:53 to enable DoT at the same time:
This setup worked great for me with Android, though it doesn't log the requesting device separately anymore (which is why I switched to a DNS server over a WireGuard VPN instead).
Doesn't this only give you DoH and DoT on the local half of the connection? Don't you need to also using cloudflared or unbound to send the remote half over DoH (which is where basically all of the security and privacy benefit comes from) as well?
You're right, but I made the assumption that people want to play around with DNS resolution.
For even better privacy, you'll need something like dnscrypt or enable DoH in your local bind/unbound/knot/powerdns server. Preferably ODoH to have complete privacy, but I don't know how commonly that's implemented yet.
With nginx in front you can put a stream {} block to proxy pi.hole:853/tcp to pi.hole:53 to enable DoT at the same time:
This setup worked great for me with Android, though it doesn't log the requesting device separately anymore (which is why I switched to a DNS server over a WireGuard VPN instead).