I've come up with a "simple" way to run pihole with an upstream DoH connection to Cloudflare Gateway for custom traffic filtering.
Gist: Pihole Install · GitHub
It leverages macvlan to put the pihole docker container on to your local network so it can have port 53.
It also places the cloudflared container directly into the pihole container's network so that pihole can query it over 127.0.0.1.
If you are willing to go through this much effort (I think containers are complicated) just to still use an upstream dns, just look at the doc page, one SINGLE PAGE of instructions, and half of it can be omitted, for unbound.
Tou'll be your own DNS provider, self-hosted by you amd a lot more secure. Plus you cam extend the cache time for recorded addresses, increasing performance further and reducing the need for these dns services.
I sincerely hope the human race gets to a place in the Internet where we ALL are self-running our dns servers. It is very simple if you follow the instructions and skip all optional steps (except the one line command to download the domain file).
Lookups will take nearly 5-10 times as long, but only one per half hour, for new domain names (you probably won't be able to tell much difference) but all of thi is because it's going directly to the source, not a thrid party dns provider, but rather, First Party.
For the benefit of future readers of this thread - don't do this. TTL's are set by the nameservers for valid reasons.