In the future, it is advised to use endpoint security, group policies, MDM profiles, etc. to manage machines instead of monitoring the network.
The future of the web is encryption from the client to the server, with eSNI and encrypted DNS so that anyone in the middle can’t control the websites or services people use. This is mainly intended to stop ISPs from throttling certain websites and to thwart malicious totalitarian governments, but unfortunately enterprise networks often use the same methods as these bad actors to achieve the same results. The only thing that enterprises can do, but the bad actors can’t, is to manage the device itself. If you must use your existing network hardware, MDM profiles can/soon will be able to block encrypted DNS from being used and block the use of eSNI. [for example, Chrome will prevent DoH from being use whatsoever if any policies at all are set up.].