I wonder if hardcoding your DNS servers will help. I guess sometimes this is not possible because in corporate environments DNS servers are sent via DHCP.
“ More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
So yes, but as you say lots of things can override your explicit DNS settings. Even browsers can do it these days.
Run WireGuard. Effectively treat WiFi as untrusted and VPN over it. Have WireGuard send over your DNS on the other side, and have that DNS use D-o-T or D-o-H depending on your threat model.
Use Ethernet on stationary devices, and WiFi on mobile devices.
