yea when it's DoH or DoT I don't think you can re-route the DNS request inflight. (where the device thinks it's talking to 8.8.8.8 but it's not).

You can block access to other resolvers though which usually works.

Eventually devices might just start using hardcoded IPs...