caching proxy server from apache people
/etc/squid/squid.conf
By default, squid listens on port 3128 on localhost only. Define your ACLs and http rules in the config file. An example:
acl lab1 src 192.168.1.0/24 http_access allow lab1
You can implement this by disabling name resolution on the clients and instead using the proxy server system wide. This way, any DNS request is intercepted, inspected and dropped if needed.
TODO I don't think this works with DNS-over-HTTPS/TLS. A solution would be SSL bumping but this is generally a bad idea.
See the arch wiki https://wiki.archlinux.org/title/Squid for more info.