They are actually local VPNs looping back to your device. That's the only way to change DNS servers when on cellular data. Until Android P, which will finally allow that.
Would it be possible to skirt these policies by having a system-wide ad blocker that's only partially configured? Either the user has to modify their systems settings to use the local VPN or take some action to load or enable the blocklist.