So, my question is - are there configurations that need to be made outside of the Pihole for device queries to be blocked entirely?
Yes.
- On your router's firewall, you will need to block outbound port 53 and 853 for all devices except your router & pihole. If your network is both IPv4 & IPv6, you will need to do this for both firewalls.
- You will also need to block DNS over HTTPS, as this traffic does not use port 53. Consider implementing this blocklist into your pi-hole. If your firewall supports IP address lists/blocking, I would suggest adding the IP list into the firewall, to prevent hard-coded IPs in devices still using DoH.
- Consider enabling the special domain blocking for iCloud relay and Firefox's DoH service in pi-hole's config.