Ours is "long sausage"
Up there with one of the worst performances I have seen. We were so so lucky to come away with anything here. We need to wake up fast, any decent team would have had a field day today
It was a while ago, so I can't remember exactly but there is a good article here The cloudflared daemon is setup to run a standard DNS server over TCP/UDP port 53 as normal. You configure the upstream DNS to be DoT based. The clients then send DNS requests as normal to the cloudflared service and then they convert them to DoT upstream and the response is then sent back to the client as a normal DNS response.
Another option you can have, install the cloudflared service on your pihole and use that as a DNS server. Cloudflared can take DNS requests from your clients and then proxy those requests over DoT to an upstream server which supports DNS over TLS. I have used Google in the past for this. I had great success with this solution inside a corporate environment which blocked port 53 to all outside the network.
Shambolic and gutless. It didn't work last week, and playing the same team again didn't work this week. The only difference is we didn't get lucky this time.