As I mentioned last week, if you have a “proper” firewall (e.g. opnsense, etc.) you can go one step further than blocking traffic on port 53: you can use NAT to redirect all external DNS requests to your DNS server, giving you full control over what clients in your environment can resolve (obviously your resolver needs to be allowed out from the internal DNS).
Except DNS over HTTPS/TLS, of course…