Seems unlikely it's DoH[0] (:443) since that would be.. hard coding an IP or a DNS lookup loop (turtles.. all the way down). But it's possible in combination with :53 above (you'd need to recursive-block the common DoH domains https://cloudflare-dns.com/dns-query https://mozilla.cloudflare-dns.com https://dns.google/dns-query but possibly also some device-specific IPs.. dns.roku.com?)
DoT[1] (:853) could also be used (1.1.1.1, 8.8.8.8, 9.9.9.9)... guess it's worth watching traffic/blocking that port (if that's your concern).
[0]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
[1]: https://en.wikipedia.org/wiki/DNS_over_TLS
From there, I allow AdGuard DNS out over port 953.
I then use pfBlockerNG with a few block-lists to block DoH and known DNS over 443 servers.
Overall works fairly well, I've had an issue or two when a device cant talk to 1.1.1.1 directly....
Seems unlikely it's DoH[0] (:443) since that would be.. hard coding an IP or a DNS lookup loop (turtles.. all the way down). But it's possible in combination with :53 above (you'd need to recursive-block the common DoH domains https://cloudflare-dns.com/dns-query https://mozilla.cloudflare-dns.com https://dns.google/dns-query but possibly also some device-specific IPs.. dns.roku.com?)
DoT[1] (:853) could also be used (1.1.1.1, 8.8.8.8, 9.9.9.9)... guess it's worth watching traffic/blocking that port (if that's your concern).
[0]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
[1]: https://en.wikipedia.org/wiki/DNS_over_TLS