Re: not going to work
DPI is the only true solution but for now I'm doing as you do with 53/853 only allowed by pihole. I also manage a list of ip's on my router that are dropped for 443. The list updates weekly based on resolving the ip's of all the rel="nofollow" links on this page https://github.com/curl/curl/wiki/DNS-over-HTTPS to get me ip's for known DoH servers. It's not ideal, mine also isn't the best implementation (made it when I was just pondering DoH) but it catches enough right now, is more or less zero maintenance and is better than nothing.