I used to have a rule on my firewall to redirect all internal 53/udp dns traffic to my local DNS server for just this reason. But with DoH, there’s really not much one can do to ensure a device is behaving without completely null routing that device.