If I understand correctly using "Nat Rule 1" a network can be configured to ignore my choice of dns server while my device is on their network? What is the mitigation of this? DNSSEC or DNS over HTTPS or DNS over TLS?
DNSSEC does nothing to address NAT interception of DNS, but DoH does: your network can't spoof a TLS certificate for your chosen DoH recurser (though, with some effort, they can just block you from the network if you don't comply with their DNS policy).