DNS can't block everything
DNS = Domain Name System
devices send's request to it to gather IP address to connect to website.
for example we want to visit google.com
our device(browser at this time, because we are sending request from browser to visit website) sends requests to the DNS to tell Hey DNS can you send me IP to the website that I am looking for? DNS checks address in database, and it returns if address is in database and browser is redirected to this IP address.
that's how DNS works.
and there is service Pi-hole that blocks ads, blocks telemetry, tracks your dns usage and so on.
but today I learned that DNS can't ensure full privacy, it can't block every telemetry or tracking requests (like ones to china)
because there is concept that I call SOLDERED IP ADDRESS
Instead of asking Pi-hole or DNS what's ip address of trackmefromchina.com it would have an instruction that says "Connect directly to 45.67.89.100." Since this process never involves a domain name lookup, your DNS blocker is completely blind to it and cannot block the connection.
This is precisely why relying only on DNS blocking is insufficient for a complete internet lockdown. You need a true firewall that controls traffic based on IP addresses and ports, not just domain names.