Pi-Hole+stubby+protonvpn+nextdns.io, working but weird/overkill/slow?

everything seems to be working as far as I know but I know there's some redundant BS going on and I'm not savy enough to confidently make any new moves.

WRT3200ACM router set up with DD-WRT, ProtonVPN (built in DNS server) running on OpenVPN, I also have a paid nextdns.io acct and i've got dnsmasq options pointing to 127.0.0.1 which runs DNS requests through stubby to nextdns.io then I set up the pi hole, plugged it in, set router dns to 192.168.1.124 (pi-hole), and pi hole upstream to nextdns.io. everything is working...I think, I see things being blocked, but I know its not right. there's like 3 levels of encryption and redundancy Idk double cache... a lot to process but I'd like to streamline everything and I need some help.

Pi-hole already contains dnsmasq and then you are in for some BF between those two.

BF = Bitch Fighting

yes, I'm aware, however I'm not sure how to best resolve.
I screwed that DD-WRT install up so many times, one thing or another and I couldn't access the web interface anymore. I've got a backup of where I want it, just don't feel like causing more problems poking around where I don't belong. I already donated because this thing is beautiful (GUI), it IS blocking a ton of requests and I see the simplicity. its really incredible, but I know this setup is lame. the pi-hole was added after but I really love the idea of blocking most of those requests before they ever leave my network

If dnsmasq is running on the DD-WRT the bitches can't see each other and start a fight.

You can switch off the cache of Pi-hole and dnsmaq but that is reverted for Pi-hole on the next update.

You made it complex but the path is simple.

what about disabling all that crap on the router and have OpenVPN running on the pi, with pi-hole, stubby and nextdns ? just seems easier. I turned the cache on the pi-hole to zero but cant find how to disable dnsmasq

It is your chain of tools you are using. I see no problem as long the chain does not tangle.

Disabling cache in dnsmasq:

 -c, --cache-size=<cachesize> Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.

Any reason you’re using stubby to connect to NextDNS instead of using NextDNS’ own purpose-built client? https://github.com/nextdns/nextdns/wiki

The NextDNS client probably will reduce a lot of complexity for you because it’s the stub resolver, plus it has in-built caching, and can pass client side names to be visible in your NextDNS console, if you choose.

You could just install and configure the NextDNS client to listen on an alternate port, then point your dnsmasq to that local client port and you would be set.

Out of curiosity, given that NextDNS already provides similar domain-level blocking capabilities as Pi-hole does, any particular reason for using both? I’m not here to steer you away from either, just genuinely curious as to your reasoning there. FWIW, I’m back to Pi-hole after using NextDNS for a while.

the client doesn't work on my model of router (wrt3200acm) using both to prevent any extraneous data being sent. pi hole blocking almost everything and I'M IN LOVE, I vow to donate $20 for every one I set up! but I paid over $100 for a year of nextDNS, so....I dont want to throw that money away is all. why don't I use the openvpn client on the router, run pi-hole with nextdns as upstream DNS server, problem is and I want to use my paid acct which requires something more than an ipv4 address also need dnsmasq on router for openvpn. ugh....I can smell perfection, it's so close.

Just checked my nextdns page, no longer 100% of my requests are secured, I'm down to about 85. pi-hole shows 2 clients: "localhost" and "IP_OF_ROUTER"

Ok, so I removed stubby from the router and set cache to zero, Pi-Hole cache left @ 10,000.
Additional dnsmasq options (in dd-wrt): dhcp-option=6,192.168.1.124, router has ddns server running which SHOULD keep nextDNS updated as to my ip. still have 2 instances of dnsmasq though, except im thinking the one knows about the other now?