You seem to forget that Domain Name Resolution became a problem after the more generic Name Resolution (ie Novel/lanman/NetBIOS). The Generic Name resolution system used lmhosts, which became hosts to more easily associate IPs and names. [0]
> Originally these names were stored in and provided by a hosts file but today most such names are part of the hierarchical Domain Name System (DNS).
DNS is unencrypted and a security risk. For the user. It's an old technology that needs to be updated.
DNS over TLS/HTTPS allows the browser to get a trusted record of IP which is a public register.
The bypass here is looking up what the corresponding IP address for a hostname is.
DNS based blocking isn't as effective as IP blocking.
You can feed a DNS based list of IPs you want to block into a firewall and have the exact same behaviour.
Both Firefox and Chrome have the ability to set enterprise user settings that can force certain configurations.
So you should have the ability to disable it if you want in your network.
If you're worried about the security of your network don't allow devices that you don't trust into it and restrict internet access properly.
What's more anyone can configure a custom DNS resolver on their device when connecting to a network.