I am not familiar with dnsmasq at all (is this machine-local?), but absolutely love my PiHole hardware — you can even create rules which intercept hard-coded-IP DNS request and/or httpsDNS. You can also hard-code/intercept .TLD to local service IPs.

Programs like LittleSnitch never really seem like "enough" for me, because the computer has to boot before DNS filtering comes online. It also has the design error (IMHO) of pre-resolving IP addresses before clicking Accept/Deny(all).

A great blockrule for your personal firewalls would be to ban (at top level) icloud.com, apple.com, &c; system updates can then be performed manually using guides like <http://www.mrmacintosh.com>. Of course: this breaks everything (in exactly the way I prefer to compute).