I can’t see how a web test could tell you this, at least not reliably.
By default, recent OS on Omnia and MOX will serve DNS-over-TLS. (port 853 on the router’s IP addresses used for DNS) That default is with “untrustworthy” certificate, so we could call that opportunistic security, working only against passive attackers.
Then independently of that, there’s the segment from router towards the internet. There’s no TLS by default. In DNS tab of (re)Foris you can select forwarding over TLS to some provider, a few predefined or any custom one. There the certificate will be checked (unless you explicitly disable that).
Some (cloud) DNS provides offer web tests telling you if you’re using their DNS and perhaps even some parameters of that connection (on the last segment before their servers). That can be done reliably.
Once you properly configured “forwarding” to one of the DoT supporting dns servers such as Google dns or Cloudflare dns
then you can verify by capturing outgoing packets from wan interface
tcpdump -v -n -i eth2 dst port 853
Also to cross check if something goes out plain
tcpdump -v -n -i eth2 dst port 53
Btw I have a question why KnotResolver listens on 853 as well, is there any usecase?