Apple has implemented a way for developers to do this already with DoT. If you are running a pihole I suggest you block. _dns[.]resolver[.]arpa. If not and your upstream DNS resolver supports DoT, this will tell clients who your upstream provider is and then they will send DoT requests out, bypassing your pihole. This is part of so called Discovery of Designated Resolvers (DDR).