Some VPN clients don't use DNS and their client apps use a pool of IP's to connect to their services. Would have to do this on the Network or Endpoint Firewall rules. Or possible RMM or MDM could block or Audit/monitor this.

This is already covered underneath the threat category of Proxy & Filter avoidance- "Sites that provide information or a means to circumvent DNS based content filtering, including VPN and anonymous surfing services."

If there are some that they have missed, submit a domain report to reclassify the site/service into that category. They will respond back within 24-48 hours and get it reclassified. I see a ton of blocks from our BYOD devices on the guest wireless trying to access various VPN services like SurfShark, NordVPN, etc. They need to identify more of the DoH FQDNs, we had to add more sites to our blocks manually for those guest devices.

Maybe even many of the less common ones. I'm sure this list could quickly exceed fifty services