I first started by simply adding the dns address of the server I wanted to use in Network Manager, but that didn't work.
Then I tried editing /etc/systemd/resolved.conf:
[Resolve]
DNS=95.216.24.230
#FallbackDNS=
#Domains=
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
DNSStubListener=yes
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
That didn't work either. Browser is unusable. However, when I revert to my ips dns or other simple dns servers (and comment out all entries in /etc/systemd/resolved.conf), everything works fine. I have tried other DoT servers also, none of them work for me. I checked other posts on this subject but they all seem to refer to 18.04. I am on 20.10 and things have changed since then. I am not sure if I should be editing through netplan or /etc/systemd/resolved.conf. Actually, I thought this would be a simple procedure of just inserting the ip of the dns server into Network Manager, but obviously it is not.
For others who may be struggling with the same thing, the answer is to ignore Network Manager. Turn off auto in the DNS section and leave the dns field blank in Network Manager. Then nano /etc/systemd/resolved.conf and set like this:
The trick is that you must set DNS= to ip PLUS '#' plus server name for DNSOverTLS=true to work. This is because the server's certificate must be validated in order to proceed. If you don't provide the server's name, your machine cannot validate it. "Opportunistic" will work here but will not validate and open several vulnerabilities so is not a good choice. Also, obviously, the DNS server you are connecting to must support DoT.
After this run:
and you should be good to go.
Thanks to Thomas Ward for pointing out the potential problems with the "opportunistic" setting and a clue to figuring out how to do it right.