DD-WRT has an option on the Setup page called "Forced DNS Redirection" for these purposes.
Whether you rely on your ISP's DNS servers, or provide your own custom DNS servers (e.g., OpenDNS), these get added as public DNS servers to the router's own DNS server called DNSMasq (functioning as a local proxy). And by default, your clients are configured w/ its LAN ip (e.g., 192.168.1.1) as their DNS server. The "Forced DNS Redirection" option creates firewall rules to redirect any rogue DNS queries back to the router's DNS server.
But beware, we're only talking about traditional DNS here (i.e., udp/tcp port 53). We now have many apps (esp. browsers) that are implementing their own DNS configuration, typically using DoH solutions (i.e., non traditional DNS), and enabled by default. This has the effect of completely bypassing the router's DNS server, w/ no means to intercept it w/ firewall rules, since it looks like ordinary https (i.e., encrypted) traffic.