NextDNS offers a DoH endpoint and is a selectable TRR in Firefox. Unfortunately that doesn't help with apps doing DoH to bypass DNS blocking. The current state of the Internet / computing is a bit problematic, but there are ways forward.
What I do and recommend everyone to do is:
1. Run an edge network device using network access controls and filter which devices on your network get outbound network access (in my case just the gateway device). Block all inbound traffic except what you choose to pinhole, block all outbound traffic except ports you choose to add to the allow list.
2. On every client device run a local application firewall (I like Vallum and Little Snitch on MacOS as examples) and filter applications by domain + port on outbound requests, block all inbound requests.
3. On every client device force it through a VPN to a gateway device internal to your network to get internet access, anything that falls off the VPN is then blocked from the internet. The gateway device can forcibly route traffic and perform additional filtering
4. On every client device, configure it to use an internal DNS on your network with a fallback to a trustworthy external provider, have the internal DNS use a trustworthy external provider over DoH. Block outbound DNS at the edge device
(blocks all non-encrypted lookups).
It's kind of a pain, and a mess, but it does greatly restrict the damage that rogue IoT / Smart devices can do.
What I do and recommend everyone to do is:
1. Run an edge network device using network access controls and filter which devices on your network get outbound network access (in my case just the gateway device). Block all inbound traffic except what you choose to pinhole, block all outbound traffic except ports you choose to add to the allow list.
2. On every client device run a local application firewall (I like Vallum and Little Snitch on MacOS as examples) and filter applications by domain + port on outbound requests, block all inbound requests.
3. On every client device force it through a VPN to a gateway device internal to your network to get internet access, anything that falls off the VPN is then blocked from the internet. The gateway device can forcibly route traffic and perform additional filtering
4. On every client device, configure it to use an internal DNS on your network with a fallback to a trustworthy external provider, have the internal DNS use a trustworthy external provider over DoH. Block outbound DNS at the edge device (blocks all non-encrypted lookups).
It's kind of a pain, and a mess, but it does greatly restrict the damage that rogue IoT / Smart devices can do.