[ycombinatrix]

You also need to block outgoing UDP traffic to port 53 in your router, in case the IoT devices fall back to a preconfigured resolver. And even that doesn't 100% work because they can use DNS over HTTPS.

Best to just airgap the device.