I had to change it for the actual device, not the connection since I want it on all WiFi connections, but it doesn’t work permanently, restarting the service/rebooting makes it use DHCP again.
Also the DNS I am trying to use (quad9.net) supports TLS, but it doesn’t use it and setting DNSOverTLS=yes in /etc/systemd/resolved.conf breaks my connection, I can connect to the router, but web requests don’t come thru (even without changing the DNS, my router is already set to use quad9) I am mildly annoyed as this worked without fuss on Arch
There is exactly 1 connection per device on any given computer:
nmcli connection show
This command will list all (networking hardware) DEVICES (if they are enabled, and not in airplane mode) and show their corresponding CONNECTION (i.e. Name, UUID, TYPE, and DEVICE, of course). There may be virtual connections shown, too, if you use a VPN or other DNS manager methods (e.g. unbound, or dnsmasq, or dnscrypt-proxy).
So you would have to set DNS for your WIFI DEVICE only once, on any machine.
/etc/systemd/resolved.conf should not be edited manually, as it is automatically created during installl and updates.
I found the magic word that fixed everything: ipv4.ignore-auto-dns I have set my DNS and this setting for the connection and the device since it doesn’t seem to cause any problems, and enabling DoT and DNSSEC in resolved.conf now works as expected.