dnsproxy VS doh-cf-workers

There's no difference between the free and freemium in regards to customizability while using VPN since both offer DoT endpoints. On Android, with the standard WireGuard & OpenVPN app you can use any DoT provider you want since the Android Private DNS setting takes precedence over the DNS settings in the VPN app. In Windows you can run https://github.com/AdguardTeam/dnsproxy locally, that way the VPN won't intercept and modify the local DNS traffic (the DNS upstream still goes through the VPN, but if you use DoT/DoH/DoQ then it continues to the DNS server you prefer).

Which OS is this? In Android the Private DNS (DoT) setting is respected by some clients like the standard WireGuard & OpenVPN, so you can just load any provider's config and enter your personal DoT address. In iOS Passepartout can accept WG/OpenVPN config and apply custom DoH, as for desktop OS you can just run https://github.com/AdguardTeam/dnsproxy forwarding to your DoH/DoQ address and set the VPN interface to use localhost as DNS.

If it's on a desktop/laptop, you can run https://github.com/AdguardTeam/dnsproxy to forward into your NextDNS DoH/DoT/DoQ, and set your VPN network adapter to use 127.0.0.1, 127.0.0.2, ::1 and ::2 for DNS (the secondary entry either loopback or fail entirely, all it matters is your OS shouldn't try other address), that way since local traffic isn't routed by the VPN, you still get NextDNS (the actual DoH/DoT/DoQ traffic is still going through the VPN).

Why not set AdGuard Home (assuming it's indeed installed at your home) to use DoT/DoH/DoQ upstream (so your ISP can't redirect it) and have the rewrites in AGH too? If your AGH instance isn't at home, assuming you're using Windows 11 set your AGH to listen on DoH and set Windows to use DoH to your AGH. Otherwise use dnsproxy in Windows to forward it to your AGH through DoT/DoH/DoQ.

I'm not sure what is your plan here, do you need the Surfshark feature specifically, or do you just want to hide your traffic from your ISP? If you need Surfshark (perhaps for streaming geoblocked content or torrenting), then integrating it with AGH hosted on the cloud for device-wide traffic is going to be complicated. The Surfshark client doesn't support custom DoH/DoT address nor IPv6 (opening public IPv4 Do53 is a big no-no, you'll get swamped for DNS amplification attack), so you'll need an app running on your device to redirect DNS traffic like https://github.com/AdguardTeam/dnsproxy to your cloud AGH. You'd need to setup DoH with a custom path through Nginx otherwise people would scan your server and use it, plus if Google's crawler sees the AGH login page it will mark it as deceptive, and your entire domain is blacklisted by the Safe Browsing API that's used on multiple products (Chrome, Firefox, AdGuard, NextDNS, etc). With all that hassle might as well just run AGH locally on your device anyway (local traffic isn't handled by VPNs)

Assuming you have a custom upstream, it's by design

Since nextdns-cli isn't likely to support DoQ anytime soon, your best bet is dnsproxy and ctrld.

For desktop browser, just change the Secure DNS/DNS over HTTPS settings to one of the servers in https://github.com/curl/curl/wiki/DNS-over-HTTPS, if they're all blocked, create your own with https://github.com/tina-hello/doh-cf-workers. On Android use Intra to load custom DoH, and on iOS use https://dns.notjakob.com/ to create the DoH profile.

If Cloudflare Workers aren't blocked, you can use https://github.com/tina-hello/doh-cf-workers to forward to it, though it only work with DNS over HTTPS client (most desktop browsers, Windows 11, iOS, macOS, Intra on Android and YogaDNS on older Windows)

DoH is another game entirely, even if you import the known DoH domains manually, anyone including dedicated kids, can create their own DoH proxy in minutes.

Even those who weren't interested in self-hosting might spend a couple of minutes hosting their own DNS proxy since it's much more flexible and don't require root or dedicated port (at least with DoH).

While you can in turn block those DoH servers (and probably block port 853 too to stop the default DoT & DoQ traffic), there are ridiculous amount of public DoH servers available, partly because of how easy it is to self-host AGH and expose the DoH endpoint to the public. Anyone can even create their own in minutes.

Check if your router support DNS over TLS (DoT) or DNS over HTTPS (DoH), that would ignore the ISP filtering, assuming the ISP doesn't just block port 853 for DoT, or filtering well-known DoH server, in which case just setup your own.

If you don't want to set up AGH at home or at a VPS, accept that the phones need to use the NextDNS/Nebulo/Intra/AdGuard app set to your NextDNS DoH endpoint while you block other providers, though this doesn't actually stop others from using their own/generic NextDNS, or even any provider if their DoH client support bootstrapping. Also, unless it's a seriously fancy router that analyzes traffic statistics, blocking DoH is merely using public list of DoH domains, anyone can create their DoH proxy which won't be blocked. Some routers have SNI filtering which can block websites regardless of the DNS used, but then you need to provide your own blocklist.

That's probably SNI filtering, but try other servers from https://adguard-dns.io/kb/general/dns-providers/ and https://github.com/curl/curl/wiki/DNS-over-HTTPS/ just in case, or make your own proxy on https://github.com/tina-hello/doh-cf-workers

If you want to go that route, keep in mind the entire Cloudflare Workers and Cloudflare Pages subdomains (workers.dev and pages.dev) can be used as free DoH proxy. Sure you can put the nuclear option, but it would break sites that do use them.

A purely DNS-based solution is bound to be easily bypassed, it's really simple to bootstrap the IP so there's no need to even use the network/OS DNS to resolve the custom DoH domain, with hundreds of publicly known DoH and trivial deployment of DoH forwarder you're fighting a losing game.