OP is wrong - they're not hijacking at all. Cloudflare's 1.1.1.1 endpoints are everywhere, not just in Singapore. In this particular case with ACT's internal routing, it's reaching 1.1.1.1 located in Cloudflare's Hyderabad node.
You can verify if that's the case by looking at the link below:
You should see Cloudflare's response with appropriate 'colo' tag along with the datacenter location that's responsible for this. In my and your case, it would becolo=HYD
just like yours, because ACT is routing most of Cloudflare to their Hyderabad location.
PS C:\WINDOWS\system32> tracert 1.1.1.1
Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.0.0.1
2 1 ms 1 ms 1 ms 192.168.1.254
3 2 ms 2 ms 1 ms 103.77.240.1
4 2 ms 2 ms 2 ms 218.248.164.97
5 3 ms 5 ms 2 ms 218.248.164.122
6 * * 5 ms 218.248.235.197
7 5 ms 5 ms * 218.248.235.198
8 * * * Request timed out.
9 41 ms 40 ms 40 ms 125.17.39.241
10 38 ms 38 ms 38 ms 182.79.141.44
11 37 ms 37 ms 38 ms 182.79.223.58
12 38 ms 35 ms 36 ms one.one.one.one [1.1.1.1]
Trace complete.
DNS and http/s are run on different ports. It is possible to firewall only DNS and let http/s to pass through.
1.1.1.1
and compare it with 8.8.8.8
without encryption in play? I highly doubt it. The help link here does indicate 'connectivity' with 1.1.1.1, but how effective is that?