[Dah00n]

Sadly I don't think you can ever win a battle against DoH unless you control all devices on the network and can live without any that try to use it. I would hate to run an enterprise or school network these days!

My home LAN is a total overkill setup because I like tinkering with this stuff. If you want more control then my advice would be to look at enterprise hardware as often used enterprise hardware can be found cheaper than way worse equipment made for home users. Just make sure it doesn't have loud fans or that they can be disabled (which they mostly can outside hot server rooms). I swapped out my switches with some cheap HP 1910-24G managed switches and connected them with fiber. I got 3 of those cheaper than the one crappy Linksys I had before which last had a firmware update months before I bought it! But if I had to recommend a single easy solution I would buy a ready to go OPNsense device. I only know this shop in Sweden though: https://teklager.se/en/products/routers/

Basically what I did after I stopped using pi-hole was to setup pfsense (later switched to OPNsense when I found out that pfsense isn't actually open source) and broke up my LAN (via VLANs, which is where the HP 1910's came into the picture) into three pieces:

-DMZ that is totally open for Playstation etc. No access from or to this to/from anything on LANs

-LAN1 where only whitelisted things have WAN access. This is where all normal traffic is at.

-LAN2 where anything that need access from WAN are connected (this also have its own WAN IP)

Geeky!