I believe the way to setup
systemd-resolved with DNS-over-TLS is as described below.
Create a configuration for systemd-resolved in
/etc/systemd/resolved.conf.d/local.conf with the following contents:
DNS=188.8.131.52 184.108.40.206 2620:fe::fe 2620:fe::9
This example uses Quad9, but you can use whatever servers you like (that support DNS-over-TLS).
Stop and enable systemd-resolved (it will be started automatically):
sudo systemctl stop systemd-resolved
sudo systemctl enable systemd-resolved
Test if the resolver works:
$ resolvectl query example.com
example.com: 2606:2800:220:1:248:1893:25c8:1946 -- link: wlp0s20f3
220.127.116.11 -- link: wlp0s20f3
-- Information acquired via protocol DNS in 155.9ms.
-- Data is authenticated: yes
Finally, create a symlink for
/etc/resolv.conf to hand control over to
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
There is one major caveat: If your local router sends a DNS search domain, that domain will be resolved against your local DNS server. If this server doesn't support DoT, all queries for that domain will fail.