I mean it’s not really the fact that it’s hard coded. On my network I redirect all DNS traffic to my local resolver. Doesn’t matter if an app tries to hit 8.8.8.8 or whatever.
The bit that will prevent me from pulling this trick in the future is the fact that it’s encrypted.
I meant hardcoded authenticated DNS i.e. something you can't just blind redirect or configure the destination of. Reworded to say hardcoded while ignoring the local resolver for clarity.
Encryption is technically the hard wall of "technically infeasible" but I say authentication because at that point you start getting massive delays in things being operationally feasible since you're waiting for things to give up on resolving rather than signaling it's unresolvable/a bogus location.
The bit that will prevent me from pulling this trick in the future is the fact that it’s encrypted.