A good start:
traefik.toml
[providers]
[providers.file]
filename = "./dyn-config.toml"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
-
dyn-config.toml:
[http.routers]
[http.routers.dns-over-https]
rule = "Host(`doh-jp.blahdns.com`)"
service = "dns-over-https-svc"
[http.routers.dns-over-https.tls]
[tcp.routers]
[tcp.routers.dns-over-tcp]
rule = "HostSNI(`doh-jp.blahdns.com`)"
service = "dns-over-tcp-svc"
[tcp.routers.dns-over-tcp.tls]
[tcp.services]
[tcp.services.dns-over-https-svc.loadBalancer]
[[tcp.services.dns-over-https-svc.loadBalancer.servers]]
address = "127.250.250.250:25000"
[tcp.services.dns-over-tcp-svc.loadBalancer]
[[tcp.services.dns-over-tcp-svc.loadBalancer.servers]]
address = "127.250.250.250:15000"
[[tls.certificates]]
certFile = "/etc/haproxy/dot-jp.blahdns.cert"
keyFile = "/etc/haproxy/dot-jp.blahdns.key"
(you can also use YAML if you prefer, please check the doc: https://docs.traefik.io/v2.0/routing/entrypoints/ for this).