.*;querytype=ANY,HTTPS,SVCB;reply=nodata
I've bee running the "regex deny" for quite some time, without any noticeable impact. Be aware "whitelist always wins", so in order to enforce blocking for the specified query types, a whitelist entry (regex allow) needs to look like (example):
ctldl.windowsupdate.com;querytype=!ANY,SVCB,HTTPS
enforcing blocking also implies you cannot use "allow lists"...