Instead I ended up with these lines in /etc/config/firewall:
config rule
option target 'ACCEPT'
option name 'Allow router to perform DNS'
option family 'ipv4'
option src_ip '192.168.1.1'
option dest_port '53'
option src '*'
option dest '*'
config rule
option src 'lan'
option name 'Disallow Google DNS from LAN'
option family 'ipv4'
option dest_ip '8.8.8.8'
option target 'REJECT'
option dest 'wan'
config rule
option src 'lan'
option name 'Disallow Google DNS from LAN (2)'
option dest 'wan'
option family 'ipv4'
option dest_ip '8.8.4.4'
option target 'REJECT'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN'
option dest_ip '1.1.1.1'
option dest_port '443'
option target 'REJECT'
option proto 'tcp'
option family 'ipv4'
option dest 'wan'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN (2)'
option proto 'tcp'
option dest 'wan'
option dest_ip '1.0.0.1'
option dest_port '443'
option family 'ipv4'
option target 'REJECT'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN (3)'
option dest_ip '104.16.249.249'
option family 'ipv4'
option dest 'wan'
option target 'REJECT'
Router itself acts as a DNS-server via dnsmasq, and is allowed to do anything I decide I want.
On my network I have a pi-hole instance which then forwards queries to the router, so it also intercepts/looks up local LAN names correctly.
All clients on the network are provided the pi-hole as the canonical DNS-server to use via DHCP options.
Works for me.