We are using 3rd party DNS filtering similar Umbrella. To prevent savey end users from using other DNS services I created a firewall rule on my lab MX allowing traffic to my DNS servers and to the 3rd party servers. I then created rules blocking traffic from any source to any destination on UDP and TCP ports 53 and 443. Testing showed this did not prevent me from resolving address if I manually set my DNS server. I have been searching the forms and it appears others have been able to make this work so what am I missing?
Rule summary and order:
1: allow source, any internal network on ports 53 and 443 to destination my DNS and 3rd party DNS servers ports 53 and 443
2: deny source, any on ports 53 and 443 to destination any ports 53 and 443
(edited to fix a typo)