some kind of dot proxy or program then enforce dns redirection / blocking via firewall rules.
personally I use AdGuard Home with blocking rules as it also provides adblocking/tracking filtering. My thread uses Cloudflare as upstream provider but nothing stopping you using other DNS providers.