M$ Windows, Android and Apple are already trying to bypass DNS-blockers.
I am quite pleased by the performance of my two CLI-instances of NextDNS. Everything at my place is running fine, lots of lookups get blocked.
So at this stage to further harden DNS-blocking, I have implemented a redirect on port 53 outgoing pointing back to my CLI-instances dmasqing their redirection. Viewing the logs for hitting those rules, I have seen connection lookups from many internal devices to Google-DNS servers (Android devices, Apple-Devices with Google-apps), German Telekom DNS-servers (Microsoft Windows 11 mainly) and other servers, by all means trying to bypass their known DNS-servers.
While this is not very new to me, it is bugging me, that in future times, when future systems evolve, DNS-blocking is a thing of the past that will just put you in fake safety assumption .
I can block DNS/DoT lookups only on known ports, but cannot block DoH lookups without implementing a IDS/IPS system that sniffs all https-traffic.
And as Windows 11 / Server 2022 already have native DoH techniques implemented and I am pretty sure, they already use it.
The eternal cat-and-mouse game is already happening on DNS-turf....