>i'll run packet capture, but all I've done is change my DNS server IP on my pc to 8.8.8.8 and it's bypassing umbrella.
That's because the browser is not using the DNS configured on your computer when it uses DNS over HTTPS.
If you have Active Directory or Intune you can create a group policy to disable DNS over HTTPS.
https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DnsOverHttpsMode
You need a policy for each browser you allow in your environment.
If you have unmanaged machines then you can disable DNS over HTTPS on each machine individually inside of each browser supported.
You can also block it on your MX. I think the category you need to block is "proxies and other anonimyzers".