dnsproxy VS jp.tiar.app

There's no difference between the free and freemium in regards to customizability while using VPN since both offer DoT endpoints. On Android, with the standard WireGuard & OpenVPN app you can use any DoT provider you want since the Android Private DNS setting takes precedence over the DNS settings in the VPN app. In Windows you can run https://github.com/AdguardTeam/dnsproxy locally, that way the VPN won't intercept and modify the local DNS traffic (the DNS upstream still goes through the VPN, but if you use DoT/DoH/DoQ then it continues to the DNS server you prefer).

Which OS is this? In Android the Private DNS (DoT) setting is respected by some clients like the standard WireGuard & OpenVPN, so you can just load any provider's config and enter your personal DoT address. In iOS Passepartout can accept WG/OpenVPN config and apply custom DoH, as for desktop OS you can just run https://github.com/AdguardTeam/dnsproxy forwarding to your DoH/DoQ address and set the VPN interface to use localhost as DNS.

If it's on a desktop/laptop, you can run https://github.com/AdguardTeam/dnsproxy to forward into your NextDNS DoH/DoT/DoQ, and set your VPN network adapter to use 127.0.0.1, 127.0.0.2, ::1 and ::2 for DNS (the secondary entry either loopback or fail entirely, all it matters is your OS shouldn't try other address), that way since local traffic isn't routed by the VPN, you still get NextDNS (the actual DoH/DoT/DoQ traffic is still going through the VPN).

Why not set AdGuard Home (assuming it's indeed installed at your home) to use DoT/DoH/DoQ upstream (so your ISP can't redirect it) and have the rewrites in AGH too? If your AGH instance isn't at home, assuming you're using Windows 11 set your AGH to listen on DoH and set Windows to use DoH to your AGH. Otherwise use dnsproxy in Windows to forward it to your AGH through DoT/DoH/DoQ.

I'm not sure what is your plan here, do you need the Surfshark feature specifically, or do you just want to hide your traffic from your ISP? If you need Surfshark (perhaps for streaming geoblocked content or torrenting), then integrating it with AGH hosted on the cloud for device-wide traffic is going to be complicated. The Surfshark client doesn't support custom DoH/DoT address nor IPv6 (opening public IPv4 Do53 is a big no-no, you'll get swamped for DNS amplification attack), so you'll need an app running on your device to redirect DNS traffic like https://github.com/AdguardTeam/dnsproxy to your cloud AGH. You'd need to setup DoH with a custom path through Nginx otherwise people would scan your server and use it, plus if Google's crawler sees the AGH login page it will mark it as deceptive, and your entire domain is blacklisted by the Safe Browsing API that's used on multiple products (Chrome, Firefox, AdGuard, NextDNS, etc). With all that hassle might as well just run AGH locally on your device anyway (local traffic isn't handled by VPNs)

Assuming you have a custom upstream, it's by design

Since nextdns-cli isn't likely to support DoQ anytime soon, your best bet is dnsproxy and ctrld.

AhaDNS Blitz Secure DNS IPv4: 5.2.75.75 AhaDNS Blitz Secure DNS IPv4: 185.213.26.187 AhaDNS Blitz Secure DNS IPv6: 2a04:52c0:101:75:0:0:0:75 AhaDNS Blitz Secure DNS IPv6: 2a0d:5600:33:3:0:0:0:3 source: https://ahadns.com/#dns-servers CIRA Canadian Shield DNS IPv4: 149.112.121.20 CIRA Canadian Shield DNS IPv4: 149.112.122.20 CIRA Canadian Shield DNS IPv6: 2620:10A:80BB:0:0:0:0:20 CIRA Canadian Shield DNS IPv6: 2620:10A:80BC:0:0:0:0:20 source: https://www.cira.ca/cybersecurity-services/canadianshield/how-works CleanBrowsing Secure DNS IPv4: 185.228.168.9 CleanBrowsing Secure DNS IPv4: 185.228.169.9 CleanBrowsing Secure DNS IPv6: 2a0d:2a00:1:0:0:0:0:2 CleanBrowsing Secure DNS IPv6: 2a0d:2a00:2:0:0:0:0:2 source: https://cleanbrowsing.org/filters/ CloudFlare Secure DNS IPv4: 1.1.1.2 CloudFlare Secure DNS IPv4: 1.0.0.2 CloudFlare Secure DNS IPv6: 2606:4700:4700:0:0:0:0:1112 CloudFlare Secure DNS IPv6: 2606:4700:4700:0:0:0:0:1002 source: https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/linux ControlD Secure DNS IPv4: 76.76.2.2 ControlD Secure DNS IPv4: 76.76.10.2 ControlD Secure DNS IPv6: 2606:1a40:0:0:0:0:2 ControlD Secure DNS IPv6: 2606:1a40:1:0:0:0:2 source: https://controld.com/free-dns/ DNSlify Safe/Secure DNS IPv4: 185.235.81.3 DNSlify Safe/Secure DNS IPv4: 185.235.81.4 DNSlify Safe/Secure DNS IPv6: 2a0d:4d00:81:0:0:0:3 DNSlify Safe/Secure DNS IPv6: 2a0d:4d00:81:0:0:0:4 source: https://www.dnslify.com/services/filtering/ Neustar Secure UltraDNS IPv4: 156.154.70.2 Neustar Secure UltraDNS IPv4: 156.154.71.2 Neustar Secure UltraDNS IPv6: 2610:a1:1018:0:0:0:2 Neustar Secure UltraDNS IPv6: 2610:a1:1019:0:0:0:2 source: https://www.publicdns.neustar/ Privacy-First Secure DNS IPv4: 174.138.21.128 Privacy-First Secure DNS IPv4: 188.166.206.224 Privacy-First Secure DNS IPv6: 2400:6180:0:d0:0:5f6e:4001 [Singapore] Privacy-First Secure DNS IPv6: 2400:8902:0:f03c:91ff:feda:c514 [Japan] source: https://github.com/pengelana/jp.tiar.app/wiki | tiarap.org Quad9 Secure DNS IPv4: 9.9.9.9 [my choice] Quad9 Secure DNS IPv4: 149.112.112.112 [my choice] Quad9 Secure DNS IPv6: 2620:fe:0:0:0:0:0:9 [my choice] Quad9 Secure DNS IPv6: 2620:fe:0:0:0:0:0:fe [my choice] source: https://www.quad9.net/support/set-up-guides/windows/ Yandex Safe/Secure DNS IPv4: 77.88.8.88 Yandex Safe/Secure DNS IPv4: 77.88.8.2 Yandex Safe/Secure DNS IPv6: 2a02:6b8:0:0:0:0:feed:bad Yandex Safe/Secure DNS IPv6: 2a02:6b8:0:1:0:0:feed:bad source: https://kb.adguard.com/en/general/dns-providers#yandex-dns