DoH on Windows 11 times out

[Klaaktu]

Setup: A domain from DuckDNS, a certificate without OCSP Must-Staple, Windows 11, Preferred DNS: my IP (Is there a way to omit this as I could have dynamic DNS?), DNS over HTTPS: On (Manual template), Template: https://something.duckdns.org:3000/dns-query
Organization's network is using a block list that includes *.duckdns.org, but somehow my domain works. My guess is their blocking doesn't work on TLS 1.3.

Problem: I can visit the URL from browsers and the page loads ("dnscrypt-proxy local DoH server"). But nslookup always times out, and browsers don't appear to be using my DoH server. nslookup also says Name: UnKnown, and when I enter its interactive mode, it automatically tries a DNS lookup and times out, presumably for my DoH server (but why...).

My guess: Windows' manual template doesn't allow custom port, or Windows DNS Client is using TLS 1.2.

[Klaaktu]

I set my URL in Chrome's custom Secure DNS field, and it just works.
Now I think nslookup and Resolve-DnsName are timing out because they aren't using DoH at all (I'm not listening on port 53 unencrypted, and the blocking is TCP RST rather than timeout).
It seems Chrome's "With current provider" setting just have a hard coded list of URLs to match, instead of getting it from Windows. (Though my source is outdated)
I'm not sure of the point of toggling off "Fallback to plaintext" in Windows settings, if none of the utilities or browser in Windows actually use the system's DoH... But, mark this as answered until someone has more insight.