There needs to be an option to have at least the roaming client block DoH server addresses. It is great DNSFilter provides a "community" list of server addresses that can be blocked at the firewall but this is difficult to do, requires work to keep updated, and does not work with roaming laptops. There is no reason this can't be setup as a policy rule. I would also point out that many of DNSFilter's competitors offer this option.