HA uses cloudflare DoT as a fallback for the reasons I outlined here. If you block all DoT traffic on your network then you should disable the fallback with this:
ha dns options --fallback=false
Although I would advise first running the following command:
ha resolution info
As noted in my post HA has some challenges with DNS servers that most other systems don’t face since it’s musl based. If you see no DNS issues in the output of the second command then feel free to disable the fallback. If you do then I would recommend looking into those first.