First off, thanks for this.
Question: the paper notes that secure DNS requests can be blocked, using these design flaws, in the hope of having the victim fall back to old insecure DNS. If a router running firmware 8.something is configured to use secure DNS (Network tab → DNS over HTTPS on a B20x ) will it fall back to old/insecure DNS if the secure DNS server can not be reached?