Есть две техники DNS over TLS (с помощью пакета stubby) и DNS over HTTPS (с помощью http-dns-proxy).
Говорят, что stubby (DoT) работает быстрее и лучше https://forum.openwrt.org/t/https-dns-proxy-vs-stubby/52446

https://www.opennet.ru/tips/3061_unbound_dns_tls_crypt.shtml

https://forum.openwrt.org/t/tutorial-no-cli-configuring-dns-over-tls-with-luci-using-stubby-and-dnsmasq/29143

• Log into LuCI at http://192.168.1.1/cgi-bin/luci/ 45, go to System → Software, and hit the Update Lists button.
• Filter down to find the package called “stubby”, and click the Install button. For OpenWrt 18.06.1 users, also install “ca-certificates” and “ca-bundle”. This is needed due to a missed dependency on the stubby package. Newer versions of OpenWrt corrected this.
• Go to System → Startup, find stubby, and click the Start button. Also set stubby to “Enabled” on this same screen.
• Go to Network → Interfaces. Click the edit button for WAN, go to advanced settings, and uncheck “Use DNS servers advertised by peer” and in “Use custom DNS servers” set it to 127.0.0.1. Then press Save & Apply. Repeat this same step for the WAN6 interface, using 0::1 instead of 127.0.0.1.
• Under Network → DHCP and DNS, click the “Resolv and Hosts Files” tab, and put a check mark next to “Ignore resolve file”. Press Save & Apply.
• Under Network → DHCP and DNS, click the “General Settings” tab, set the “DNS forwardings” list to 0::1#5453 and 127.0.0.1#5453.
• Go to System → Startup, find “dnsmasq” and click “Restart”.

У меня работал DNS over HTTPS, однако он часто затуплял (очень нагружал проц) и переставал работать. Изменение настрок не сильно помогало. Версии LEDE - 18.06 и 19.07.