There's a relatively simple and pain-free solution to legitimate DPI: blocking all requests that don't go through a proxy. Browsers will ignore some certificate restrictions if they detect manually installed TLS root certificates to make corporate networks work.
This approach won't work on apps like Facebook or Instagram, but I don't think there's a legitimate reason to permit-but-snoop on that sort of traffic anyway.
This approach won't work on apps like Facebook or Instagram, but I don't think there's a legitimate reason to permit-but-snoop on that sort of traffic anyway.