then you catch all DNS traffic not going to your DNS, and redirect them, in your firewall.
or just block everything not going to your DNS, forcing the devices to use it.
you'll have a bigger headache with DoH though.
there's also DoT, but that's easy to block in the fw.