Some good news and update regarding the TYPE=65 [HTTPS] DNS queries.
According to the latest changelog of Dnsmasq, in version 2.90 there is a new option added called
--filter-rr
If it's implemented in a future release of OpenWrt, we might be able to add this line:
filter-rr=ANY
in /etc/dnsmasq.conf (or preferably an option in luci if available) and it will filter out any DNS types from the replies except for A, AAAA, MX and CNAME.
This should finally solve the issue if it works properly.
Sources:
"https://thekelleys.org.uk/dnsmasq/CHANGELOG"
"https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html"