Ang pinaka da-best na setup ay yung roll-your-own DNS resolver. You setup your DNS resolver at your gateway using unbound, then setup your firewall to redirect any outbound port 53 (TCP/UDP) traffic through to your unbound resolver. Ang advantages nito: a) hindi mo na kelangan i-manually configure each client just to use your own resolver; b) kahit ano ilagay na DNS sa client, the dns traffic will still get re-routed transparently to your own resolver. In short, they can't override it; c) you can incorporate blacklist domains, so you can xxx, gambling and ads domains at the gateway level.
Disadvantage: can be tricky to set up.
Sa gateway ko, block yung instagram.com at whatsapp.com so eto yung line:
gateway# egrep -i '"(whatsapp|instagram)\.com"' /var/unbound/etc/unbound.conf
local-zone: "instagram.com" always_nxdomain
local-zone: "whatsapp.com" always_nxdomain
Tapos kapag, nag-query ka sa isa sa clients at kahit ano DNS pa nakalagay dun, you will get a NXDOMAIN (meaning domain not existing).
user@debian10:~$ nslookup whatsapp.com
Server: 192.168.0.30
Address: 192.168.0.30#53
** server can't find whatsapp.com: NXDOMAIN
user@debian10:~$
user@debian10:~$ nslookup instagram.com
Server: 192.168.0.30
Address: 192.168.0.30#53
** server can't find instagram.com: NXDOMAIN