I wonder if it is possible to set Cloudflare Gateway to respond NXDOMAIN for the canary domain use-application-dns.net used by Firefox.
Given Cloudflare is the default DoH provider for Firefox, another option might be for Cloudflare to check DoH requests for use-application-dns.net to see if Gateway is configured for the source IP, and then return NXDOMAIN as a default response if it is (I realize this is almost certainly impractical from a resource standpoint, but I thought I’d throw it out there anyway). The assumption would be that if Gateway is configured on an IP the admin for that IP would not want Firefox DoH to bypass Gateway.
I use a basic DNS server and forwarder built in to a router for many client installations where another DNS server option is not available. Static DNS entries are a feature, but setting one to return NXDOMAIN is not. There are many ways for me to address this issue, but having Gateway respond NXDOMAIN would be the easiest and cheapest way.