Thanks for prompting me to come back to this issue during tonight’s meeting, @zeeclor.
The DrayTek can do it, but the terminology is different in the UI. Rather than using NAT rules, you can set up a wildcard * redirect of all DNS queries to an internal server (which is almost certainly building NAT rules in the background to make the redirect work).
This article on the DrayTek KB covers the config, and although the 2927 isn’t explicitly listed in the article, the option looks to be in the 2927’s UI according to the demo under Applications > LAN DNS / DNS Forwarding.
I strongly doubt it will block any encrypted DNS (DoH/DoT, etc.) traffic, but setting it up per the KB article should capture standard DNS lookups from devices on your network that are set to alternate DNS servers and aren’t honouring your DHCP assigned one(s).
Given that there’s nothing in the KB article about it, I assume the DrayTek is clever enough not to redirect requests from the Pi-Hole back to the Pi-Hole. If not, then that’s a perfect opportunity to set up DoH outbound from your Pi-Hole too.