Some applications use a custom DNS to bypass DNS filters.
Blocking these is as simple as adding an IP-Tables rule to permit outgoing queries to port 53 (except Pi-hole). However, in the near future, I expect many applications to use DNS protocols, like DNS over HTTPS or DNS over TLS to serve ads.
Because I couldn’t find one I created a blacklist of SDNS servers. One block list containing IP addresses and another one containing SDNS domains.
I also created a (probably pretty ugly script, though it got fancy error handling) with which you can create and update those lists yourself.