DNS query metadata can leak a lot of information about your internet activities. While DNS-over-TLS/HTTPS has definitely improved DNS privacy over the years, DNS requests can still be associated with user identity at the resolver by logging the origin IP address of the DNS query request. DNS-over-TLS-over-Tor addresses this vulnerability as Tor circuits masquerade the origin of the DNS request.
Cloudflare deployed its DNS resolver as a Tor Hidden Service back in 2018. It being a TorHS is fantastic because by design the hidden service is not meant to know who the identity of the requestor is. Assuming Tor Hidden Services work according to its design assumptions, the DNS queries sent to the TorHS resolver cannot be associated with a user identity which thwarts DNS correlation attacks.
Life of DNS over TLS on Tor (DoToT) request
+---------+ +---------+ +-------+ +------+ +-----------------------+
| DNS Req.| --> | Unbound | --> | socat | --> | Tor | --> | Cloudflare 1.1.1.1 HS |
+---------+ P | Port 53 | E | 853 | E | 9050 | E | 853 |
+---------+ +-------+ +------+ +-----------------------+
P denotes unencrypted traffic.
E denotes encrypted traffic using TLS.
This was achieved using the unbound forward-tls-upstream configuration flag.
You can find the code to do all of this:
For the torrc file, just enable SocksPort 9050.