Does anyone know an effective, efficient way to block VPNs, especially ProtonVPN and Windscribe? (VPNs lets kids around parental controls.)

ProtonVPN involves many host names. Worse, some may change. Here is an incomplete list, and I had to mangle the names to allow the forum to let me post them.

api.protonvpn-ch

protonvpn-com

protonvpn-net

account.protonvpn-com

dMFYGSLTQOJXXI33OOZYG4LTDNA.protonpro-xyz (not a normal host name)

MFYGSLTQOJXXI33ONVQWS3BOMNUA.protonpro-xyz (not a normal host name)

dns11.quad9-net

dns-google

us-free-48.protonvpn-net [lots of host names with different serial numbers]

node-us-04.protonvpn-net [lots of hosts with different country codes and serial numbers]

ec2-3-74-226-36.eu-central-1.compute.amazonaws-com [many variations of this]

It also directly connects by IP addresses (apparently not using DNS). One function is to get a server list.

(FYI: these IP addresses and host names can be found on the local machine in JSON files and log files, and there are some in Proton's GitHub repo.)

ProtonVPN uses DNS over HTTPS, so this can bypass family-friendly DNS set up by the parent on the Deco.

Is there a way to block outbound TCP port 53 (DNS) to force the clients to use a certain DNS server (like the Deco itself)?

Is there a way to block outbound DoH (DNS over HTTP)? 

How to block outbound port UDP 1194? This is is a common port for OpenVPN, which ProtonVPN supports.