malware and other spying apps (like your television) are just adopting DNS over HTTPS (DoH) and bypassing whatever local DNS server you have deployed on your network, pihole and such are quickly becoming irrelevant.
You can block HTTPS to known DoH providers. You can set up an alias in a firewall to load the list from https://public-dns.info/nameservers-all.txt. Its a bit of a cat-and-mouse game as it relies on that list being updated frequently and reliably, but its the best you're gonna get for blocking DoH.
Also make sure to block outgoing TCP and UDP 853 – this blocks DoT and DoQ too.
Have you found any open resolvers that are using a shared CDN IP? I've been on the lookout for those ever since the first discussion of DoH appeared on HN. I have yet to find one but I would really like to know details if you have found one. Thus far I have been able to block DoH by NXDOMAIN'ing "use-application-dns.net" and blackhole routing about 80 IP addresses.
Insidious things, tsk tsk.