(I'll relpy in english, as the forum is open to a wider audience.)
Yes, the proposed solution could be an alternative.
But, as per our internal policy, we hardly change IPs and assigned IPv6 networks to the clients. So we are trying to find a solution, that can be integrated with our RADIUS server and that doesn't mean change the whole network topology nor perform unnecessary routing and/or filtering tasks. Right now, passing to the client the chosen resolver is the simplest way. As we want to have a full dual stack network and we are encouraging our customers to adopt IPv6, the solution should be working for both stacks, in the same way.
If you have any other valid solution we will be very happy to hear from you.
Perché no,
as I said, we'll talk about it again in September, now I'm too busy to follow the new fiber activations for expanding the network capacity.
Either way, you have to intercept DNS requests and redirect them to yours, plus you have to block DoH,
otherwise the basic filter doesn't work even with newly installed browsers and smartphones as they come out of the box...