Blocking icloud private relay "nicely"

Thanks for the reply.  I do block QUIC which makes it stop working but doesn't alert the user.  In most cases, they need to manually turn it off to work.  And our support folks get a call as to why their wifi is not working.  My goal is to block it cleanly so that their phone or macbook lets them know what is going on.   According to Apple, the proper way is to return NXDOMAIN to the DNS queries.  But the DNS queries are not blocked, only their access once the device tries to enable the icloud private relay.

I think that if the DNS filtering offered custom rules, I could block the two DNS records they use to enable it and that would trigger the device to gracefully alert the user.  Although the DNS query needs a NXDOMAIN reply and the DNS filtering may only offer to drop the request.