I have no idea why your seeing those - but has nothing to do with acme updating a dns record.. SOA of whatever domain your doing isn't going to be cloudflare-dns.com nor is it going to dns.google, etc..
Many of those queries your blocking out what the actual fqdn was.. and you local domain... And why and hell would you hide your rfc1918 address 172.20.x.x ?
anything using the api for cloudflare would be talking to api.cloudflare.com, godaddy would be either api.ote-godaddy.com or api.godaddy.com
Its quite possible whatever your doing with trying to filter is just breaking dns in general.. But if your updating anything with the apis of cloudflare or godaddy it sure would be trying to resolve the doh fqdn..
edit: btw I have domains with cloudflare, and use acme certs for those domains.. I have no issues renewing them.. And I specifically block doh domains by resolving them to a specific rfc1918 address, so I can see if any clients try and resolve them and access them..;; QUESTION SECTION: ;cloudflare-dns.com. IN A ;; ANSWER SECTION: cloudflare-dns.com. 120 IN A 172.19.19.19
So if acme needed to talk to cloudflare-dns.com for some reason it wouldn't be able to.. I also have their real IPs blocked..
the fqdn or IP of cloudflare-dns.com would not be used in renewing a cert via clouldflare and acme.. It just wouldn't - they are not related to the api, and or anything to do with actually resolving whatever you domain is.