You can always set up a MITM on your network. But yeah, DNS filtering is doomed in the not so far future.

Encrypted DNS has been possible and in use for years (including looking up IP addresses over HTTP, which I’ve caught several apps doing), but this isn’t DNS related.

SNI filtering was pretty popular back in the day, but domain fronting is trivial to set up outside the browser. No SNI filtering setups I’ve come across actually bother to check certificate validity, so generating a self-signed eff.org certificate and using that from within an app would make quick work of most network filters.

I’m afraid firewalls are the only workable solution if you’re not in control of the software you’re running. You can try to force apps through a MitM setup by blocking all outgoing traffic and configuring something like Privoxy as the only way out, but getting your MitM CA loaded into these apps can be a royal pain.

You can do filtering and monitoring in the DNS server itself in corpo environment, like umbrella or AD DNS.