Download the cloudflared daemon.

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
mv cloudflared-linux-amd64 /usr/sbin/cloudflared
chmod -x /usr/sbin/cloudflared
cloudflared --version

Start the DNS proxy on an address and port in your network.

cloudflared proxy-dns  --upstream https://dns-family.adguard.com/dns-query

Set up cloudflared as a service so it starts on user login.

sudo tee /etc/systemd/system/cloudflared-proxy-dns.service >/dev/null <<EOF
[Unit]
Description=DNS over HTTPS (DoH) proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/sbin/cloudflared proxy-dns --upstream https://dns-family.adguard.com/dns-query

[Install]
WantedBy=multi-user.target
EOF

Set IP for dns-family.adguard.com in case of DNS contamination.

echo "94.140.14.15 dns-family.adguard.com" >>/etc/hosts
echo "94.140.15.16 dns-family.adguard.com" >>/etc/hosts

Install cloudflared as a service so it starts on user login.

systemctl daemon-reload
sudo systemctl start --now cloudflared-proxy-dns
sudo systemctl enable --now cloudflared-proxy-dns
sudo systemctl status --now cloudflared-proxy-dns

Verify that it's running, then switch your DNS servers to 127.0.0.1

dig +short @127.0.0.1 google.com A

Set local dns

echo "nameserver 127.0.0.1" >/etc/resolv.conf

Force everything use this DNS

sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:53;
sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53;
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

Save iptables

sudo apt install iptables-persistent -y
netfilter-persistent  save