Yes I agree that opening up udp443 is 100% going to make you vulnerable to dns over the same UDP port if the same destination IP has both services available on that endpoint. This is always the struggle and compromise, but in some cases it is required that the functionality can take prescience over the possible risk of allowing the traffic. This is the situation I am in since whatsapp traffic must flow, even if it means allowing quic traffic (risk is accepted due to compatibility taking precedence).
As it happens I am when a user makes a whatsapp call, if it has an issue I am now checking the logs at the exact time, finding the IP's and adding then to the whitelist for zenarmor. This is similar to what you would do your side but has the disadvantage of nobody else in the world being able to benefit from my capturing of IP's and sharing that information. So while eventually after a few months the situation will get resolved or me, nobody else is assisted by this method.
P
As it happens I am when a user makes a whatsapp call, if it has an issue I am now checking the logs at the exact time, finding the IP's and adding then to the whitelist for zenarmor. This is similar to what you would do your side but has the disadvantage of nobody else in the world being able to benefit from my capturing of IP's and sharing that information. So while eventually after a few months the situation will get resolved or me, nobody else is assisted by this method.
P