I have an LG OLED TV and I use pi-hole to block all of the creepy ad-tech that's built into to. Whenever I want to check if there are updates to anything on the TV, I disable the pi-hole for 5 mins and manually check for updates.
i just block the DNS traffic that is not going to your local DNS.
I use AdGuard Home, find it better then Pi-Hole, and it use DoT for queries (can do that with Pi-hole but you need to set up a proxy for that manually) so i just block anything in port 53 that the destination is not my internal DNS.
The DNS server is hardcoded, so they use the DNS server that Samsung want instead of your local. But it will failover to local network DNS if it fail to connect to the hardcoded server as far as i know.
It is not the ads server that is hardcoded. I doubt they will ever do that because that is hard to manage and does not escale.
So there will be traffic in port 53 that will be captured and redirected to my local dns server.
i block DoT and DNS-over-Quic since they use specific ports.
DoH is hard but most devices that i worrie about does not use it yet so i am not doing anything.
If this start becoming a problem either we will need to build a list of DoH server addresses to blacklist and this will be a cat and mouse game. Or you will need a https middlebox to look at what is in there to see if it is DoH and block or not, and that bring a whole lot of other problems.
Some devices have hard coded DNS settings, but you can set up a rule on most decent routers to NAT all DNS requests (port 53) that don't come from your pihole (or similar), back to that DNS server.