Thanks, that's exactly what I was trying to ask. BTW, there's a new tool from the Windscribe/ControlD people that would be a great replacement and enhancement to DNSFilter/Director. Here's the link: https://github.com/Control-D-Inc/ctrld
It's basically a command line version of DNSFilter/Director (plus a bit more) but with full support for DoT/DoH.
Doubt that is going to get added to merlin unless Asus changes to it.
To clarify a bit what has been said already:
Set DNS Director to on and mode to "router". That will force any client doing a DNS lookup on port 53 to use the router's DNS, no matter what IP they try to lookup to. It can be confusing as an nslookup to 188.8.131.52 will still say it is coming from google, but really it is coming from the router. It just replaces the payload of the response. You can consider DNS director a totally independent feature from whatever you're doing on your WAN page, but when used in conjunction (by setting it to router) they two work together to accomplish what you want.
On your WAN DNS set up whatever you want to be used for DNS, including the servers, DNSSEC, DOT, etc. Optionally you can enable "prevent auto DOH" but that is only for a few scenarios. A client can still set up their own DOH or DOT and bypass your router, no way around that other than installing a blacklist of those servers (and that won't be 100% either).
The two steps above will force all client requests for port 53/dns to use whatever is set on the WAN page for DNS (even though they won't know it).
Make sure your DHCP server settings have no DNS server specified and have the "advertise router's IP" set to "yes".
Then optionally you can set exceptions on the DNS director page. If you set a client to "no filtering", it will use whatever is configured on the client (whether learned from DHCP or statically set). In my case I leave my own PCs set to "no filtering". They still get the router IP from DHCP and use the settings on the WAN page normally, but if I ever want to lookup against another DNS server for testing, I can. Or you can set kids PCs to use an adult filtering service instead of the regular WAN DNS, etc. But those PCs will NOT get DOT or other security filters from the WAN page, they will bypass those settings on the WAN completely when you specify anything other than "router" on the DNS director page.
My router seems to slow down a lot with DNSSEC and/or DOT enabled (older AC1900 router) so I don't even have those on.
Personally I don't think they're all that useful anyway
DNSSEC just re-validates what your DNS service is already doing (most of them do DNSSEC already). It is somewhat pointless to a recursive DNS server. It doesn't stop that server from getting hacked and returning you invalid replies, so really just extra latency and load on your router for no reason. If you really want to do DNSSEC you need to set up a DNS server on your network that looks up directly to the root DNS and resolves directly.
DOT is for hiding your lookups from your ISP, but not like they can't see what site you go to right after doing that lookup. In some countries where sites are filtered using DNS, DOT/DOH is useful, but not really an issue in the US, and those countries probably block the IPs of those sites anyway. Plus so many other things are tracking you, what's one more? If I truly want what I'm doing hidden I use a VPN. But I'm not doing anything that is going to get me flagged on any watch lists anyway.
Mainly I just wanted an extra line of protection for friends and neighbors that I let use my wifi that aren't as careful as I am (and also IOT devices as I don't fully trust them), and just in case I'm not paying attention and click a phishing or malicious link (or those times when an ad on a website turns out to be malicious and redirects to a bad site even if you don't click it). Nothing is going to block it all but between browser protection, antivirus, AiProtection, and DNS filter, hopefully will catch most.