And since we're in a [No CLI] thread, you can add this entry from LuCI at the end of Step 6:
Under Network -> DHCP and DNS, click the "General Settings" tab, add to the end of "DNS forwardings" list.
Go to Network -> Interfaces. Click the edit button for WAN, go to advanced settings, and uncheck "Use DNS servers advertised by peer" and in "Use custom DNS servers" set it to 127.0.0.1. Then press Save & Apply. Repeat this same step for the WAN6 interface, using 0::1 instead of 127.0.0.1.
Is this step needed? I setup my custom DNS servers to Cloudflare and Google, and then followed this guide, which doesn't change the custom DNS servers on the Network -> Interfaces tab, yet I still show as using secure DNS and DNSSEC.
That step is in reality a really bad idea. OpenWrt needs access to DNS while booting up, and setting it to use Stubby, which may not be up and running yet, will result in random weird issues when booting.
I had terrible weird issues (no Internet access, no DNS, etc.) until I changed the custom DNS servers back to Quad9, at which point the router booted up perfectly every time. The ONLY downside is the DNS traffic from the router itself is not DNS over TLS, and I couldn't care less. I'm happy that my network clients are using DNS over TLS.
It is not possible for Stubby to be UP during boot or just right after boot because of the race condition with SYSNTPd service.
Clock on device should be synced via NTP for Stubby to be able to establish SSL/TLS connection to the upstream DNS provider.
Blocking internet connectivity at boot time by directing WAN DNS to unfunctional local DNS service leads device to inability to perform NTP sync and thus to inability for DNS/Stubby to function properly too.
In absence of correct time on device it is not possible to verify SSL/TLS certificate chain during handshake to upstream DNS provider (some certificates may be 'not yet valid' etc).
@AjkayAlan Based on the post from @open.nya please remove what is currently step 4:
Go to Network -> Interfaces. Click the edit button for WAN, go to advanced settings, and uncheck "Use DNS servers advertised by peer" and in "Use custom DNS servers" set it to 127.0.0.1. Then press Save & Apply. Repeat this same step for the WAN6 interface, using 0::1 instead of 127.0.0.1.
I know it's a bit late but in case anybody is still interested, I had the same problem after each reboot i.e., no internet because no DNS just like @jbrossard said, stubby's status after reboot says active with no instances, so I restarted stubby and voila internet is working again. In order to make this work without logging in and restarting stubby is to write a simple procd init script and enable it at startup and give it a S95 priority.
You should see your ISP's DNS servers. Keep DNS weight = 0.
If you followed the setup properly, the clients on your LAN will get DNS resolution through Stubby, while the router itself will use your ISP's DNS servers. This is necessary so the router will boot properly.