You can't have the router automatically manage routes based on the webui config AND add your own custom routes and expect the router to magically guess which routes should be left untouched in main and which should be moved... Pick one method, not both.
If you want the router's DoT queries to go through the tunnel, then create a policy rule with DoT server's IP address. It will tell the router to go through the VPN for that destination.
Normally you'd set up the source IP as the router and the destination as the DoT server, but for some reason this currently doesn't work (possibly one of the higher priority routing tables has precedence - I haven't had time to look into it). However not specifying a source will work, even from the router (a traceroute running from my router was going through the tunnel for me).
If you want the router's DoT queries to go through the tunnel, then create a policy rule with DoT server's IP address. It will tell the router to go through the VPN for that destination.
Normally you'd set up the source IP as the router and the destination as the DoT server, but for some reason this currently doesn't work (possibly one of the higher priority routing tables has precedence - I haven't had time to look into it). However not specifying a source will work, even from the router (a traceroute running from my router was going through the tunnel for me).
Code:
admin@stargate88ax:/tmp/home/root# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 10.8.2.1 (10.8.2.1) 10.302 ms 12.637 ms 14.217 ms
2 vlan24.as02.qc1.ca.m247.com (176.113.74.1) 9.924 ms 16.546 ms 13.358 ms
3 xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166) 25.526 ms 35.845 ms 21.326 ms
4 vlan304.as032.buc.ro.m247.com (77.243.185.226) 12.552 ms 13.364 ms 12.147 ms
5 cloudflare.peer.qix.ca (198.179.18.55) 10.132 ms 10.877 ms 14.073 ms
6 one.one.one.one (1.1.1.1) 13.470 ms 12.741 ms 18.921 ms