Force UDM Pro to use NextDNS CLI?

I am 99% there with my NextDNS setup.  All my LAN clients use the router for DNS, which uses NextDNS CLI to provide encrypted DoH goodness.  

IPv6 clients work great thanks to the trick from https://help.nextdns.io/t/60htjnn - basically tell your DHCPv6 server to dish out the IPv6 equivalent of your IPv4 router IP and you get the normal NextDNS CLI experience. So that's cool.

Ditto my Guest network, thanks to https://github.com/nextdns/nextdns/issues/457.

The one thing I cannot get to work is having the UDMP itself use NextDNS CLI - all its queries are just hitting the NextDNS upstreams on bog-standard DNS port 53.

I know this is expected.  But come on - 100% encrypted DNS is what we want right?

I've tried various iptables rules including a modified version of the idea here: https://gist.github.com/Belphemur/f5f5afd19116ee17d4498f5ad87386a3

I know that resolution works - e.g. if you try

# nslookup www.beer.com localhost:5553

You get the glorious secure request log on my.nextdns.io, with client ID.

I just can't get the "force requests to 127.0.0.1:53 FROM 127.0.0.1 to go to 127.0.0.01:5553" to work.

Is this a future feature that I am jumping the gun on? Why does iptables hate me?

Has anyone solved this?  My 99% of the way there setup really wants to know!