Don't use the default DNS you get back from DHCP on these networks. Use DoH or DoT or something end-to-end encrypted. By default, your DNS requests ("what IP does
blockedsite.com resolve to?") are unencrypted and trivial to intercept and return false data for.