You could also configure your router to intercept rogue plaintext DNS lookups on your network with responses from a resolver you trust (for example a Pihole, Cloudflare or Google Public DNS, Quad9, PCH, etc). Adding something like Pihole would give you comprehensive blocking and custom internal DNS entries too.

How would that work? Do you only access a really small/known set of IPs? Or would you program the firewall to only allow connections to an arbitrary IP if it had seen a DNS query to your preferred servers go out and return that IP within a few seconds prior?

In the latter case, would you have to aggressively disable local DNS caching on devices to make the behavior work (is that even possible on some devices)? How would encrypted DNS fit into this scheme?

I am fine with the only Java application I have used in the lease decade not working. I did not even bother putting a JVM on any of the OS I installed in the last 5 years. So yeah, I’d rather have fewer security holes.