Quad9 also supports DNSSEC.
It is extra work either way. What is better performance though?
I'm using dnsmasq with Pi-Hole's blocklists, and forwarding to unbound for DNS over TLS. Forwarding to another client such as doh-client could also work though I'm not sure how this would work with Quad9.
My router is being backup for this ensure there's less load on the MIPS machine.
Go is cross-platform, sure. However dnscrypt-proxy  is also very portable.
Using unbound won’t survive an EdgeOS upgrade will it? Maybe a script under /config/scripts could ensure unbound is installed and configured though.
- dnsmasq resolver using Stubby for DoT stuff
- Unbound resolver using Stubby for DoT stuff
- Unbound doing it all
The last one, as of today, is not quite ready, missing some stuff Stubby  does better.
How secure is this EdgeRouter lite? Is it open source? For what it's worth, I found one blog with VPNFilter botnet and Ubiquiti on the same page :)
The router isn't open hardware but its a good bang for the buck (I also run WireGuard on it, btw). If you want a fully open source router, I can recommend having a look at Router7 . The author's using a PC Engines APU2.
Downside is you gotta do a lot of work yourself, just like with OPNSense. But I like OPNSense, even though the hardware from the company behind it is expensive the same is true for PFSense. And the company behind that isn't so friendly...
What work? Install is super easy ... I use OPNsense on small, fanless, cheap 'mini PC' with 2 LAN ports, you buy from aliexpress. Full x86-64, Intel with AES-NI support, for like $200 with 4GB RAM and 40GB ssd
What work? Work to maintain it, test it, etc. Essentially, every time a software update is rolled out you do not know for sure if it is going to work flawless on your platform. For a random home network that might be sufficient; for a corporate network not so much.
I know about Aliexpress (and the like), but I don't find comparing Chinaware with non-Chinaware fair without taking that into account as a minus. Not that I wouldn't go that route if I would go for DIY though.
Router7 uses coreboot and a heartbeat to restart the machine if it fails.
x86-64 still uses more kWh than this MIPS machine. The ER-L has 3 ports, allowing physically separated networks. Depending on your setup you can even use both. The ER-X is less powerful and is MIPS32, though does support more hardware offloading (and WireGuard has optimalisations written in C for MIPS32).
Hardware is your choice, but x86 gives you the best compatibility, and kWh is good, x86 CPU power management, mine uses less than 1W, max TDP is 6W.
Cisco, Juniper, and other closed source ones have a history of backdoors . Consumer grade routers are joke.
I've used the mess called Quagga back in '00s. No, thank you. I did like OpenBGPd, but it isn't a necessity to have BGP support on every router. Linux can be suffice on a router. Even though I do prefer PF, nftables seems promising.
I don't want to use x86-32 for a myriad of reasons. I don't need the software compatibility x86-32 offers.
I don't think so, i have my own fortress :)
There's no need to link to Wikipedia's HTTPS either. We both know what that is.
FYI: The malware you linked was for older or badly configured versions of those routers. If you don't upgrade OPNSense or Linux/BSD in general you're also in trouble.