Hi,
I have now just implemented a Youtube block on my network using Unbound to block the wildcard domain youtube.com.
For the TV and those I want to leave access to Youtube, I have added a DHCP reservation on wich I push Cloudflare DNS rather than the local one (Unbound with Youtube blocked).
Now, my girl is a rather smart one and will figure that out at some point and will set her own DNS on her PC to go around that. Is there a way to force all DNS to follow what the firewall expect so that even if she set static IP on her PC, it is still using the local DNS?
It is a bit more complicated than you think:
While your girl could use another DNS server, you could block or divert outbound traffic from your LAN to anything with port 53.
However, there are at least three more ways you can do local DNS resolution:
1. Enter the IPs (attainable though internet research) into /etc/hosts or OS equivalent thereof.
2. Use DoT over Port 853, which you would have to block as well.
3. Use DoH over Port 443, which you probably do not want to block, because then, nothing works.
The last one does not even require system intervention which you could prevent by stripping admin privileges, it is conveniently built into the browser - and #2 is even the default these days...
Besides, there are masking sites that provide Youtube content.
You will not get very far without the possibility of full client control (good luck with that on IOS or Android), such that you can have a mandatory proxy and then filter out any problematic URLs.
Oh, and BTW: you cannot block to Youtube IPs, either, since they are shared with Google.
AdGuardHome offers some control over 3 with the right lists.
You'd get a cleaner way to manage exceptions for you and specific devices.
But it's not meant to thwart a motivated insider. Add VPN to the list of things she could try.