[ycombinatrix]

block all outgoing traffic to port 53 in your router. this catches everything using plaintext DNS or DoT.

[caymanjim]

This does nothing to stop anything intentionally circumventing your DNS settings. There's no reason DNS traffic has to be on port 53, and DoH is undetectable.

[ycombinatrix]

>This does nothing to stop anything intentionally circumventing your DNS settings.

It makes it substantially more difficult. My firewall statistics are proof of that. On a production network you'd have everything blocked.