@Hemicrusher 

That won't work.

What you instructed the TP-Link router was to sent any request to 8.8.8.8 public IPs reachable only on the WAN side to be redirected to itself on the LAN.

To avoid Roku going to Internet could be tricky, you need to check the Roku configuration to ensure it's getting the TP-Link router IP as its DNS server, so then DoH will follow as expected.

Keep in mind, that if a Roku App has hard coded DNS servers (I mean it doesn't care about what Roku itself provides) then you will need to do so in the Roku App (if possible, sometimes is not).

For example, you could also bypass the TP-Link as DNS (DoH) if you configure it on your Chrome browser, and the only way to prevent browsers from leaking DNS, will be to put a firewall rule in the TP-Link to forbid outgoing DNS request (Not only on the port 53, but the others related to DNSoverTLS, DNSoverHTTP, etc.), so you really ensure your TP-Link router is the only DNS server available in the LAN.

@Hemicrusher 

I have IoTs devices from Google/TP-Link, all regular streaming services (e.g. Netflix, Amazon), no torrents!, no UPnP cheaters (is disabled on all routers).

Apart from one weird Android Apps with strange HTTPS ports, these rules works like a charm for no DNS leaking.

The ER605 is upwards to two ISP. Downwards WiFi is serve via TP-Link Deco M9 Plus.

@Hemicrusher 

Those rules are for complete close down to the feasible minimum, and still there is a possibility of leak.

If you only want to block Google DNS (because your device Roku and all Apps installed are dummy aka. "standard"), you have two options:
 

- Per IP is tricky, if you only want to block Google, will be enough with a rule per each IP.

  But be aware that some Devices/Apps can use different servers if not available the Google Ones (and fool you completely).

AND/OR:

- Per Port, depending on what you want to achieve several ports requires blocking, so I will give you counter examples (now more and more common on IoTs):

  - Some Devices/Apps use the traditional DNS on port UDP/53, if you have a local DNS server like Pihole then TCP/53 is also needed.

  - Some (Smart) Devices/Apps switch to DoH (DNS over HTTPS) so you need to block TCP/443, but you can't, or ... Youtube will fail if you miss an IP in the rule.

  - Some (Smart) Devices/Apps switch to DoS (DNS over TLS) so you need to block por TCP/853.

The recommendation will be to start with 1-2 rules and add more rules, until you get the desired behavior.

Be careful when blocking DNS on the ER605, whatever is downward will suffer instantly if something fails, you will notice it just later (due to DNS caches).

  @Hemicrusher correct last line picks everything else.

  @Hemicrusher