Confused by multiple DNS settings; advice for best practices/conflict avoidance?

Do what @trendy said if you want expert eyes on your config.

But generally speaking, in the default install, the dnsmasq (or more capable dnsmasq-full) is the main OpenWrt package responsible for resolving DNS requests.

The https-dns-proxy, like the name implies, is a little proxy service which takes normal DNS requests, encrypts them on your router so that your ISP or MITM cannot monitor/alter/resell your DNS queries and sends them to the supporting servers which can process encrypted DNS requests. So with the https-dns-proxy, again in the default configuration, your network device sends the request for name resolution to dnsmasq, then dnsmasq hands the request over to https-dns-proxy, which encrypts the request and (in your case) sends it to Quad9 servers, which process the request and send encrypted reply back, https-dns-proxy decrypts it and hands the decrypted reply to dnsmasq which sends it to your network device.

The 3 major adblocking scripts/services available for OpenWrt (adblock, adblock-fast, adblock-lean) again, in default configuration, all work very similarly. They download multiple block-lists in different formats and process them to prepare a single block-list file for dnsmasq, so that when your network device sends a request for the domain which is part of the block-list, the dnsmasq replies that the domain is not found rather than trying to resolve it to the IP address.

There are alternative solutions for adblocking on your network, like AdGuardHome or pi-hole which can be deployed on/in addition to OpenWrt, but then those completely take over the name resolution service and you most likely are not using dnsmasq on your OpenWrt router for name resolution then.

Another option to consider (if you're already using https-dns-proxy) is to use some of the customizable DoH resolvers, where you can combine adblocking and secure DNS in the same service. Some of the servers allow you to specify as extra parameter either:

  • you user ID and then on the DoH server dashboard you can configure what do you want to be blocked
  • a special string which contains the IDs for the block-lists you want used when you send domain name for the resolution

Either way, that offloads your adblocking to the DoH server, if you send the domain name for resolution which is found in any of the block-lists enabled, the DoH server returns the "domain not found" reply which is then handed down to your network device. There are pros and cons to this approach, but unless you want to micro-manage your block/allow-lists, that might work very well to replace either adblock or adblock-lean.