We need to allow guest wifi users access to internal webmail. I can create a loopback easily, and this works for most clients. We are having an issue with android though due to its use of DoT (DNS over TLS). This occurs on port 853 and does not trigger the DNS rewrite.
I discussed blocking 853 outbound, but it looks like android will also try DNS over HTTPS and i obviously cannot block 443. This is guest wifi so MDM to disable DoT is not an option. Does anyone know of a way to do this without having to make any changes on client devices?