How to use the DoH resolver at cloudflare-dns.com on Android?

I’m using OkHTTP 4.9.0 to do DNS lookups on your DoH resolver. Things work perfectly on the JVM 8+ (tested on macOS, Linux and Windows), but it fails with the following exception on Android (tested on Android 5 and 8):

    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
        at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept

Based on that traceback, I’d say the problem is that the issuer of your certificate isn’t on the Conscrypt trust store. I can’t imagine things would be different with a different HTTP client, given that the problem is in Conscrypt.

I can work around this issue by using Google’s DoH resolver.

Here’s the DoH client I’m using in case you want to test this, but you should be able to replicate this with a simple HTTP request to cloudflare-dns.com: https://github.com/relaycorp/doh-jvm

So, how are other people using this resolver on Android?