Tried this manual: https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
And test here: https://www.cloudflare.com/ssl/encrypted-sni/ still shows to me question mark in "Secure DNS" section. Also this test: https://1.1.1.1/help tells, that I don't ust DoH.
I tried to delete all DNS servers in my WAN interface and add one DNS server there - 127.0.0.1 or 192.168.1.1. Tried to add DNS hijacking rule to firewall https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns No effect.
Where did I fail?
DHCP config:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option dnssec '1'
option quietdhcp '1'
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server ''
option localuse '1'
option localservice '1'
list server '127.0.0.1#5054'
list server '/ntp.time.in.ua/1.1.1.1'
list server '/ntp.time.in.ua/'
list server '/ntp2.time.in.ua/1.1.1.1'
list server '/ntp2.time.in.ua/'
list server '/ntp3.time.in.ua/1.1.1.1'
list server '/ntp3.time.in.ua/'
list server '/openwrt.pool.ntp.org/1.1.1.1'
list server '/openwrt.pool.ntp.org/'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'