Android , pi-hole, and DoH on / off of LAN

I am running Pi-hole in a mostly stock configuration at home, on my Rpi3b+ and overall I am super pleased with it. I know what I am trying to do, but do not know how to pull it off on Android devices that are moving from LAN WIFI to wireless carrier and back.

Expected Behaviour: I want to have my Android devices on home Wi-Fi utilize Pi-Hole, via DHCP pointing them to Pi-Hole for DNS (this mostly works), but I also want to use DoH (DNS over HTTPs) with CloudFlare when I disable WiFi on these same devices and use the Carrier. Is there an easy way to configure these devices to move back and forth?

Actual Behaviour: If I configure the Android device to use DoH for CloudFlare when it is using the Carrier network, and I connect back to the home WIFI with the Pi-hole, the phone appears to circumvent Pi-Hole DNS and go straight to CloudFlare DNS, which keeps me from taking advantage of the Pi-Hole ad blocking....

Your debug token is:

Thanks for any help - I suspect this is an Android configuration issue, but I am sure that a lot of people want to use Secure / private DNS on Android in conjunction with Pi-Hole, and I don't see a way to do that...

I'm still searching for a solution that is more of an end-point device policy / config solution, but it's come to my attention that there is a potential solution possible from the Pi-hole side... (namely implementing a canary domain setup to turn off DoH when Chrome or Firefox browsers are on a network like the Pi-hole). Exploring running unbound locally and implementing the canary domain now as a work around...

DoH is used by client browsers, so you'd have to control browser behaviour to achieve your goal.

For FireFox browsers, Pi-hole is -already by default- providing the correct canary domain to make a client FireFox fall back to plain DNS.

For Chromium browsers, you'd have to resort to manually enabling or disabling DoH in the browser settings, because that's the way Google designed it to work currently.

You should also note that we are just talking browsers here.
Your Android's OS and other apps may still access DNS in any other conceivable way, so all non-browser traffic may still use plain DNS.

In addition, using protocols like DoT or DoH would only prevent third parties from prying your DNS requests (which adds some security when using a public wlan in a cafe).
But your chosen DNS server provider still has your full DNS history, so there is not much to gain with regards to privacy.

Thank you for the additional comments. You are of course correct on everything you said.

Unfortunately on the Android side things are quite fragmented and there are both OS level configurations, as well as separate controls in Firefox and Chrome, not to mention apps you can introduce from the play store such as:

I now see that when it comes to DoH / DoT DNS, although it is 'secure' it is not private. Whoever you send your DNS queries to whether this is your local ISP or an upstream provider like CloudFlare, OpenDNS, Google, etc. can see everything, so I am changing course and implementing unbound to do the DNS resolution myself in the same host as the Pi-Hole.

Once I get that working, I will make the changes on the Android devices to try to get them to more easily transition from using DoH when on the wireless carrier, and then utilize the Pi-hole when on my controlled WLAN.

I've already seen that I will also need to transition DHCP from my edge router to Pi-hole host as my edge router (Google WIFI) will not play nice if it does DHCP and tries to hand DNS off to another host.

That should finally give me what I am after Pi-hole working off of unbound, and handling DHCP, and internal DNS resolution on the .lan or .local domains; allowing me to stop fiddling with mDNS / Bonjour and /etc/hosts on various machines for internal right now.

Thanks for the direction.