[cjcampbell]

I’d expect most firewalls to allow DNS traffic to locally configured resolvers without prompts, and I figure this is also extended to mDNS traffic, which doesn’t leave your local LAN by default.

From the mDNS side of things, you could easily block if your firewall allows you to set up port based deny rules (in this case UDP/5353). This should resolve the privacy leak from the OP, though you may find that you lose expected functionality on your host and local network depending on whether you block inbound, outbound, or both.

Unicast DNS gets a bit trickier (even without considering DoH). Depending on browser and OS configuration, you won’t be talking to more than a handful of resolvers directly. Ideally, you allow communication with these resolvers and block all other DNS traffic. You definitely don’t want to set a rule that allows you to accept each and every query, so in that sense, DNS will be bypassing the firewall.

What’s better in this case is resolver with filtering capabilities, e.g., pihole.