Unifi OS, how do you block all DNS except Nextdns?

First, block DoH/DoT in Network app: Settings -> Security -> Traffic & Firewall Rules (choose Simple).  Create an entry and select block as action, app as type, choose networks you want to enforce rule on, and for destination choose DNS over HTTPS and DNS over TLS.

I also listed 244 domains (that I gathered from various sources on the net) that are blocked also with one of these simple firewall rules.  These are all DoH server domain names.

Second, switch to advanced in traffic & firewall rules.  In LAN In, create a firewall rule to accept for all networks as source and destination list all of your NextDNS IP addresses for various profiles.  For mine, I have source network all (I had to create a new IP address group) and port any.  Destination is my profile IP addresses.  I'm using DNSFilter instead of NextDNS, but that's not relevant to what you're doing here.  See pic below.

After creating that rule, then create another rule blocking DNS resolvers.  Make sure you put this AFTER your allow rule for your NextDNS IPs.  Source is port/IP group, address group any, port group any.  Destination is port/IP group, address group any, and port group DNS ports.  Create a new port group and put 53 and 853 for ports.

I'm hoping that Ubiquiti uses dnsmasq in a future release.  It would spoof DNS resolvers.  So if a client has 8.8.8.8 set on their client individually, the UniFi console would use its own DNS resolver and pretend like it's 8.8.8.8.  The client would never know the difference.

The above rules work well.  Guests that come over have trouble connecting when they have Apple iCloud relay enabled.