Go into firewall, then the tab "network services filter". Click "yes" next to enable. The defaults for the rest (deny list, hours, etc) should all be fine.
Then add two firewall rules. Make it look exactly like the below and click apply. Then disable your dnsfilter so they will be blocked rather than redirected.
This will result in anyone pointing to your router IP for DNS being fine, and anyone pointing to anything else not being able to get any DNS responses.
On the WAN page, you can set your WAN DNS servers to whichever service you want to use. Right now you're using adguard but if you want to block malicious sites, porn, etc you would want to pick one of the others, or enter a custom one (there are many more out there than the predefined ones).
Make sure the Name Servers on your DHCP page are blank, and the "advertise router" is set to "yes". That ensures your clients only learn 1 DNS server, your router.
Note that if you leave parental controls enabled and aiprotection "malicious site blocking" enabled as well, you'll basically have two layers of protection now. DNS will take priority but if for some reason a site isn't filtered there but is on trend micro, then aiprotection will block it. Aiprotection also helps block something if someone tries to visit it by IP instead of hostname (which DNS filtering would never see).
As mentioned before, this will not block DNS over HTTPS (DOH), VPN, and some other forms of secure DNS. To do that you'll need to move to merlin and install addons to blacklist as many of those as possible. But this is a good start.
One other note - if all you're doing is trying to prevent someone from bypassing the "parental controls", there is no need to do any of this. Parental controls do not use DNS, they use packet inspection to see what site the person is visiting. They will work no matter what the DNS server is set to. However if you want them to be forced to use the filtering DNS service on the WAN page (adguard as you ahve it set now, or one of the others in there), then this will work for that.
View attachment 45207