> Unfortunately there is no way to block websites at the network level (that I know of) as browsers and mobile phones have started using hardcoded DNS resolvers, so the utility of this is limited.

Any network traffic which goes through a gateway under your control can be controlled. DNSSEC[0] can make this more difficult, true, but not impossible as content ultimately originates from an IPv4/IPv6 address and can be dropped by upstream network devices.

0 - https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex...

> browsers and mobile phones have started using hardcoded DNS resolvers, so the utility of this is limited

Got a source for that? No phone or browser that I'm aware of uses "hardcoded DNS resolvers". They all use the OS DNS servers which the OS gets from DHCP.

You can still block at network level by configuring your router to intercept all port 53 traffic, redirect DNS-over-HTTPS using firewall rules for known DoH providers, and employ TLS inspection on your gateway for complete control.

I thought I commented on this from my phone, but it seems it didn't go through, so I'll try again.

Most apps I've tried (and browsers too) can be blocked just fine via DNS. The gli.net interface allows "Override DNS Settings of All Clients" and "DNS Rebinding Attack Protection". This way, the router itself is the only resolver actually reachable. Even if I try some manual `dig google.com @1.1.1.1`, I still get the routers result.

The only thing it can't block is DNS over Https. I think that's by design, it seems it's impossible to block that.