iOS' VPN APIs allow (from what seems to be the case with e.g. OpenVPN apps) custom in-tunnel DNS servers to be specified, such that requests not exempt from the VPN APIs get captured and sent to the tunnel-specified servers. Given this, it would seem a great, albeit ambitious plan, to replicate this in the lockdown app with a mini DNS server that listens inside the local VPN interface, which by default forwards to the PPP/DHCP-specified DNS IP or root servers or a custom user-specified DNS server or to an integrated DNSCrypt, DoT or DoH client which would forward requests to the desired service which can be configured manually or automatically as desired. The local DNS server would then integrate with the blocked and allowed requests by LockDown to block related DNS requests to avoid leaking DNS requests to the network that are undesired. This could then be set up properly if LockDown was designed to allow full FQDN blocking, not just base level domain blocking, i.e. a.b.c.d.z.example.com as opposed to just example.com, and if combined with protocol- and port-level blocking as well would allow LockDown to become a pretty fully fledged firewall within the confines of iOS, and combined with a widget would be really useful.
TL;DR
Local DNS server to avoid leaking DNS requests for blocked requests, and allow filtering of other undesired DNS requests, and unbound local-zone/local-data style overriding of DNS entries, which, post-filtering, forwards to either OS-specified DNS server, user-specified server, or, if also integrated, a local DNSCrypt client.
iOS' VPN APIs allow (from what seems to be the case with e.g. OpenVPN apps) custom in-tunnel DNS servers to be specified, such that requests not exempt from the VPN APIs get captured and sent to the tunnel-specified servers. Given this, it would seem a great, albeit ambitious plan, to replicate this in the lockdown app with a mini DNS server that listens inside the local VPN interface, which by default forwards to the PPP/DHCP-specified DNS IP or root servers or a custom user-specified DNS server or to an integrated DNSCrypt, DoT or DoH client which would forward requests to the desired service which can be configured manually or automatically as desired. The local DNS server would then integrate with the blocked and allowed requests by LockDown to block related DNS requests to avoid leaking DNS requests to the network that are undesired. This could then be set up properly if LockDown was designed to allow full FQDN blocking, not just base level domain blocking, i.e. a.b.c.d.z.example.com as opposed to just example.com, and if combined with protocol- and port-level blocking as well would allow LockDown to become a pretty fully fledged firewall within the confines of iOS, and combined with a widget would be really useful.
TL;DR
Local DNS server to avoid leaking DNS requests for blocked requests, and allow filtering of other undesired DNS requests, and unbound local-zone/local-data style overriding of DNS entries, which, post-filtering, forwards to either OS-specified DNS server, user-specified server, or, if also integrated, a local DNSCrypt client.