It was a while ago, so I can’t remember exactly but there is a good article here The cloudflared daemon is setup to run a standard DNS server over TCP/UDP port 53 as normal. You configure the upstream DNS to be DoT based. The clients then send DNS requests as normal to the cloudflared service and then they convert them to DoT upstream and the response is then sent back to the client as a normal DNS response.
“privacy, that’s iPhone” 🙄