Think of your router as a DNS proxy server. Your clients look up to the router, the router sends any non-cached entries upstream, and replies back using its internal IP.
If you want to use DoT (like I said, if you're just looking up to recursive DNS, there really isn't any benefit) then you must use the router proxy feature. If you want clients to see the DNS directly, disable the router proxy, and you also won't have DoT.
Generally it is better to have the router be the proxy, caching entries locally will be faster, and you can change DNS servers anytime and it is transparent to the client.
So the recommended setting is on LAN DHCP, leave both DNS blank and check off "advertise router's IP". All clients will receive 192.168.50.1 as their DNS.
On WAN set the DNS servers you want queries to go to (1.1.1.1, adguard, etc).
If you want to ensure a client never statically sets anything to bypass the router, go to DNSFilter/DNSDIrector and set it as "router" and enable it. That way all DNS traffic is intercepted by the router and uses the WAN DNS IPs, no matter what the client points to. The client never knows, they think the response is coming from the DNS they pointed to, but in reality it is coming from the router. Note this doesn't work with clients that use DoH (I believe firefox does this by default and Chrome/Edge have it as an option). You can enable the feature on the WAN page to block client auto DOH which helps prevent those browsers from doing that, but a savvy user can still force DoH.