I'd like to integrate knot-resolver locally so that pi-hole can handle tls and doh requests. It's also just cool. I did this locally (not into pi-hole) where I run knot-resolver and then point pi-hole to it. It works well, but there are a few nice to haves like seeing "secure" or "not secure" on the query log. Also, it would get around the 10,000 limit for dnsmasq cache size.
Is there any prior work on this?
Not any that I am aware of, but feel free to search our forum. 
However, if you wouldn't be strictly tied to knot for a reason, unbound can do much the same thing, and we already have a guide for running unbound as a recursive resolver in conjunction with Pi-hole.
Of course, you'd have to change a few lines to have unbound switch to DoT/DoH instead.
Add these lines to the pi-hole configuration file for unbound, and you have a DoT forwarding resolver:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
thanks for the links. I'll check unbound out. Though, I really like knot-resolver. it's super neat. There are so many things you can do and customize with it. So I might still look into it..
I'm not sure what your motivation is but many want to use DoT and/or DoH for security. Please, don't. Usually, this will do the exact opposite of what you are trying to achieve. Let me details that below.
First, I'd like to make sure you've read the "Whom can you trust" in our docs already linked by @Bucking_Horn above so we're sure to be talking about the same. Therein is also explained how recursive resolvers work which is essential for the following.
Free DNS providers like Google, Cloudflare, etc. are known to be big data harvester and, typically, people don't want that. How little the DNS provider you are using might be, they live off of something so they are likely making money out of the data they harvest by providing their free DNS service. On the other hand, when you are running your own recursive resolver, nobody can harvest your data (except your Internet service provider (ISP), more in that below). Security - in form of authenticity - is granted by DNSSEC and it's use becomes more widespread every day.
So people have raised the concern "but DoT and DoH are encrypted and - as such - more secure". Don't get dazzled by this. It is only partially true. Yes, your connection to the upstream DNS resolver is encrypted and, hence, secure, however, the upstream DNS provider still gets all your data. However, at their end, they have no other choice than being a recursive resolver themselves, do the lookup for you and give you the result over the encrypted channel. There is no other way than DNSSEC they can use to verify the records so you have no increase in security by using DoT or DoH except concealing your raw DNS requests from your ISP.
However, as you are making a connection to the IP address in the next second and send the hostname in plaintext (SNI), hiding the DNS request makes little to no difference in the ability of your ISP to see where you are connecting. When you are living in a not-so-friendly country and really feel threatened by your ISP, you will likely be using a VPN anyway so you are, again, better "protected" by running your own recursive resolver than using one of the big free public ones.
There is one other thing besides data harvesting I don't like about the big players. One thing they cannot do anything about: Cache poisoning. Attackers can (and do) attack the large DNS servers with the goal of smuggling incorrect DNS replies into their cache from where they are served to the millions of "customers" using this DNS resolver. The more users are using a DNS service (you can assume almost every free one is an interesting target), the more likely it is that somebody attacks the service and injects malicious data. This is just very hard to mitigate and, besides DNSSEC, it is sometimes even entirely impossible to do this (e.g., when it only depends on time of arrival).
TL;DR (somewhat oversimplified, read above for details): Using public DNS providers makes you vulnerable to a few attacks that aren't relevant otherwise. Your data is also likely harvested. Using DoT or DoH is only eyewashing, your conceal only from your ISP which can easily get the same information otherwise. When you are using a VPN everything will anyways be encrypted.