Not an expert as @rextended is, but let me give you my point;
as you I'm using external DNS service for my router, and I want to make sure some stupid devices are not using other services, redirect DNS requests from LAN devices to port 53 it's easy using NAT firewall rules;
- DoT, drop dst-port=853 from RAW + tls-host=!*nextdns* (my Android phone is using NextDNS and I don't want to be blocked)
- DoH, drop dst-port=443 from RAW + dst-address-list="
DoH list"
this list contains IP addresses from CloudFlare and you'll block also some websites
what I'm still learning is if
tls-host= is useful, browsers are using DoH via TLS1.3 encrypted (thanks rextended for the info in a previous post) if you use
tls-host exception for DoH rule this will be ignored, not problem with phones that are using DoT or DoH with TLS1.2 (still testing this).
If you use DoH with Chrome browser and you drop DoH IP addresses it's not switching to the standard DNS, Firefox is.
Something could not be correct.
found many useful informations here:
https://github.com/jpgpi250/piholemanual