Another thing you may notice is you might not be able to update your entware repository if the ntp is not set right on the router. Another example, assume the router dns is not set and stubby does not start due to ntp not set properly, then none of the router security features such as Ai protect or skynet will work properly either.; also, the router will assume the internet is down when it tries to use its network detection tools.
Having the WAN DNS blank doesn't mean what you are doing is necessarily "wrong", it is just important to understand that there are things that can go wrong; hell, you may even experience times when your vpn server won't connect if your dns does not work. Especially if the vpn provider uses hostnames as the gateway point instead of ip addresses. Without dns capabilities, the router would not be able to resolve the vpn gateways hostname to make adequate connection. These issues that "could" happen wont just occur at random. They may occur more as a ripple effect-one after the other.
I've taken your advice and added back in the Quad9 WAN DNS servers.
I've installed tcpdump. What interface(s) should I be monitoring?
If I run:
tcpdump -i any port 53 [This shows a huge amount of traffic on various interfaces, mainly eth4, eth7 and br0. If I visited a website, I can see it show up in the output. Majority seems to be IPv6 but not all, there's IPV4 addresses too]
Noting my WAN connection is PPPoE, I thought perhaps I should only be looking at this interface, so I ran:
tcpdump -i ppp0 port 53 [not much shows at all, if I visit a website I haven't resolved in a while, I get trend micro showing up, using the WAN DNS servers (expected from what you've said) and also a couple related to my ISP (assume this is something to do with the PPPoE connection]
tcpdump -i ppp0 port 853 [I see some traffic (basically all to a domain/hostname related to my ISP). There's not really anything other than packets relating to my ISP and one.one.one.one.853:]
I'm not convinced it's working as it should. Basically, if I should only be concerned with the ppp0 interface then it's possibly working how it should. If I need to be concerned with the other interfaces then it almost certainly isn't using DoT properly. Especially for IPv6, I had read a guide that said to manually set IPv6 DNS server to the router IPv6 link-local address, however, I've just read someone saying to leave the IPv6 DNS setting to auto. Either doesn't seem to effect the above results...
\\
EDIT: I've just realised all of the traffic picked up on eth4/eth7/br0 over port 53 seems to be internal i.e. between my router and my devices (+ the occasional trendmicro/ISP traffic over ppp0). So I think (maybe) I can conclude it's all working as it should - key thing is other than the router based requests that are still going over port 53 (trend and router to ISP related), everything else on the ppp0 interface is going over 853/DoT.