Yes, PiHole is the most common, but malware can easily bypass that using shared domains, P2P or IP addresses directly.
replyUse a filtering proxy instead and no gateway / route to the internet.
1) Dnsmasq, you don't need the whole PiHole for that.
reply2) You're advising security through obscurity instead of a network namespace + firewall.
You mean like PiHole or AdGuard?
replyOpenSnitch (+ block lists) ;)
replyor DNS stubs with filtering capabilities.