Having recently reviewed as much of the seemingly endless discussions as I could find, I ended up with the following configuration, which I'm sharing in case it might be of assistance to OP or anyone else. I make no warranties that my choices are the best choices and welcome suggestions.
Thanks to @themiron and @RMerlin for implementing DoT. Thanks to all for alpha and beta testing this feature and for your earlier comments on configuration options.
- In the webui go to WAN / Internet Connection / WAN DNS Setting
- Set Connect to DNS Server automatically to No. (When using DoT this setting governs what happens in case your selected DoT DNS server doesn't load correctly. Setting it to Yes means that your router will start off with your ISP's DNS server before the router loads your selected DoT server. Setting it to No means that your router will start off with whatever fallback DNS server you select.)
- At DNS Server1, enter 1.1.1.1. (As most will recognize, this is for Cloudflare. I chose it because I personally choose to assiduously avoid using my ISP's DNS server for any purpose, even the time check at router startup.)
- At DNS Server2, enter 1.0.0.1. (This is Cloudflare's secondary address.)
- Set Forward local domain queries to upstream DNS to No. (Whether it's your ISP's DNS server, Cloudflare or whatever, the upstream DNS doesn't know your local network map.)
- Set Enable DNS Rebind protection to Yes. (Doing so helps to defend against possible cross-scripting attacks.)
- Set Enable DNSSEC support to Yes. (@RMerlin recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
- Set Validate unsigned DNSSEC replies to Yes. (@RMerlin also recommends this at https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy.)
- Set Prevent client auto DoH to Auto.
- At DNS Privacy Protocol, select DNS-over-TLS (DoT).
- At DNS-over-TLS Profile, select Strict.
- At Preset servers, select your preferred DNS service. I went with Quad9's 9.9.9.9 and 149.112.112.112 because I prefer Quad9 and like its filtering of malicious websites. (If you choose 2 different services, such as Quad9 and Cloudflare, the router will alternate between the two, rather than using one as primary and another as backup).
- Hit Apply.
Once again, this is just what I've chosen based on my judgments of what I've read on this forum. Exercise your own judgment. Good luck!
[1/24/20 edit] Added thanks to @themiron, who developed DoT in Merlin almost entirely himself.
In step 3 & 4 you chose Cloudflare and in step 12 you chose Quad9. Why not Quad9 in step 3 & 4 also?