[SparkyMcUnicorn]

My non-root solution is to use NextDNS or ControlD with "private DNS" (DNS over TLS).

Doesn't stop direct IP connections, but it's good enough.

I also have the CLI installed on OpnSense so DoH is enforced for all devices on my LAN as well.