Add nginx to the mix (simply put a TLS proxy between DNS and the outside world) and you’ve got a DoT server. Because it’s TCP you don’t need to consider DNS amplification attacks and Android has native DoT support that’ll work anywhere.

What you need is a domain (any domain will do) pointed at your WAN IP and a valid HTTPS certificate. Put this in your Pihole’s nginx config:

stream {
    upstream dns {
        zone dns 64k;
        server 127.0.0.1:53;
    }

    server {
        listen 853 ssl;
        ssl_certificate /path/to/your/letsencrypt/certificate.pem;
        ssl_certificate_key /path/to/your/letsencrypt/key.pem;
        proxy_pass dns;
    }
}

The hardest part is getting Let’s Encrypt set up, but you can use common DNS APIs to get those without ever forwarding port 80 to your Pihole. You do need to forward port 853 of course.

Then open your phone’s settings and set the secure DNS to custom, and point it at your WAN IP. You’ll now have PiHole support wherever you go, without a VPN.

The only downside is that you’ll have to turn it off in some hotspots that still use DNS interception to redirect you to their portal page rather than the standard protocols, but it’ll work in moet cases. Some routers also deal with port forwards weird (not forwarding packets destined for the WAN IP if they’re coming from LAN) which requires some more messing around, but I’m pretty sure those issues are becoming rarer and rarer.

If you’re feeling fancy you can set up DoH as well, but that’s more involved.