In my router, for example, if a device ignores my LAN’s DNS server (which is now actually the Raspberry Pi, unless I route a certain device through the router for DNS instead), I can set a static IP for that specific device and mandate it to the Raspberry Pi as its DNS server (via the PiHole installation). I had to do this with my Roku, as it always tried to ignore my router’s designated DNS server (the RPi). Now I’m seeing its many queries in the PiHole dashboard, to sites like scribe.logs.roku(dot)com, google-analytics(dot)com, stream1.xdevel(dot)com, rtl-radio3-stream-thron(dot)com, rtl-radio3-stream-thron.akamaized(dot)net, some of which are “forwarded to one.one.one.one#53” (presumably Cloudflare on port 53…?), etc. Previously I had noticed in my router’s connections log that it was trying to reach 184.108.40.206 all the time.
My Android phone shows many connections to google(dot)com, connectivitycheck.gstatic(dot)com, play.googleapis(dot)com, and - fortunately - dns.decloudus(dot)com. (And on my Android, I’ve always disabled as much Google stuff as I can without replacing the OS!)
For, say, a suspect application on a particular device that’s using PiHole for DNS, you could start using the application and observe if any hidden connections are happening from that device in the PiHole dashboard. It’s not precise, but using one app at a time could help identify where any nefarious connections are originating.