[KungFuJohnny]

If you have a decent router, then you can just forcibly redirect any DNS requests from 8.8.8.8 to your PiHole.

[kube-system]

I have had good luck simply blocking any outbound port 53 traffic that doesn't come from pihole.

Although with DoH these days, I'm not confident my firewall rule is still doing a good job :(

[mulmen]

If someone was rude enough to bypass DHCP's suggested DNS is it reasonable to assume they were polite enough to use the standard port?

At this point every device on my network is hostile, default deny outbound is starting to feel like the reasonable starting point.

[kd913]

I have blocked port 53 forward and redirect. On my ISP's router (which I am forced to use), you can't block port 53 on the gateway itself.

I don't want to add an extra router because that would add unnecessary latency. The above is not an unusual setup at all.