> This and I combo it with restricting DNS lookups to the actual LAN servers.
This won't prevent OPs concern with apps doing DNS over HTTPS, would it?
> No way to bypass the DNS at that point via the firewall.
Some apps do not even do DNS and connect to static IPv4s and IPv6s straight-away. Even if IPv4 is limited, plenty IPv6 to go around than an ip-table can handle.
