One way to limit this would be to add IP resolved through an approved resolver to a temporarily allowlist for a firewall. The firewall would default-deny outbound network requests. Allowlisted IP would be permitted, but be removed from the list after the TTL for the DNS request expires.

Of course, you'd have to add in some permanent exceptions once you realize just how much hardware and software implodes as a result of this.

Some expected, like peer-to-peer applications, though those allow you to define an outbound ephemeral port range you can limit them to (except perhaps for some poor implementations in commercial game launchers trying to offload bandwidth costs). So some are fairly easy to define.

Others you'll have to log and see. Like your Google Home hardware..

I got some minis and disabled the mics since they had hardware switches. I hacked around a bit emulate sending them audio programmatically and discovered they use external DNS and therefore couldn't resolve the local network web server hosting the audio clips I wanted to play. So I had to permanent-lease the hostname's IP and give it an IP address.. They were already bypassing local DNS blockers years ago.