I had the same problem, browser extensions weren't enough, and I wanted something system-wide. So I built Sinkzone [1], a DNS tool that blocks everything unless allowlisted. It’s open-source and works across OSs. Thought it might be helpful if you're looking beyond NextDNS.

[1] https://github.com/berbyte/sinkzone

It sadly doesn't work.

I tried blocking Facebook on my phone using both the parental control option AND adding `facebook.com` to the deny list.

Somehow, the app is still chugging along totally unbothered.