How to disable DNS over HTTPS (DoH) and DNS over TLS (DoT) network-wide for Apple iOS and macOS
Solution 1:
There's no similar network-wide opt-out canary domain feature for iOS and macOS in general. However, if you use for example Firefox on macOS, you can use that feature to disable it for that one browser in particular - unless the user opts-in to DoH/DoT in which case the feature does not do anything.
You can usually block DoT in your OpenWrt router by blocking outgoing port 853. You can usually block DoH by blocking port 443, however that would also mean blocking most web sites.
Note that if you do block port 853 in your router, iOS will give the user a warning that encrypted DNS is being blocked by the network!
If there's a specific DNS server (or smaller list of servers) that you do not want to be used on your network, you can block all traffic to that IP address in your OpenWrt router. Similar warnings apply.
Finally if you have control over the Apple devices yourself, you can use MDM to change their DNS settings. In particular you could for example enable DoH and point it to your own server - or point it to a server that doesn't exist - effectively disabling it.