[codecasaurus]

Have you considered just blocking outgoing on port 53 on your network? There are a few too many devices out there that have hardcoded DNS and don't respect the resolver communicated to it. (Chromecast is an easy example.)

[foodscraps]

Yes, 53 is allowed only to pihole and dropped everywhere else. I just blocked 853 on each pfsense interface. I will see how it acts when I get off work.