That's what I do. I actively block third party DNS and known DNS services except cloudflare and quad9, but only when coming from my raspberry pi. I haven't allowed an unencrypted DNS request from my local network in a long time. At least not that I know of. I have blocked a lot of apps/appliances trying to use their own DNS, and so far that has been enough. When they figure out that they can use DNS on non-standard ports I'm fudged.