Re: Executives are allowed to ignore anything they want because they deserve it.
The easiest (but incomplete) solution is what Pi-Hole has already done: include a DoH server, so it's the one doing DNS lookups.
How does it cope with hardcoded DoH addresses (e.g. to Google or Cloudflare slurp) and/or pinned certificate checks on the same?
And MITMing SSL is almost always a really REALLY bad idea!