DNS is really easy to redirect (at the firewall level) since it goes over UDP. The growing problem is DNS over HTTPS, which uses certificates and tcp and is much harder to redirect (without setting up a MITM and distributing the CA to all devices). Fortunately just blocking the DoH domains at the DNS level works, but unlike the global udp port 53 redirect, it’s a cat-and-mouse game.

The hardcoded issue is more of a consumer router limitation than a pihole issue. Any router that can redirect DNS request + dnsmasq can do what pf-blockerng does. You just don’t see it since pfsense does this in the background. All my ubiquiti stuff or Opnsense uses pihole fine with hardcoded DNS including chromecast (I use NextDNS instead of pihole but essentially the same thing).

Indeed, how it is described in section 3.2 of the article is how I also did it on my home router+pihole combo. Still have add that rule 1 though, dns over tls.