Comment by temp0826
2 days ago
Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don't know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP's of all the common resolvers (or at least the ones it will try)
Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:
(nftables syntax)
ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment "Force all DNS traffic to go through local DNS servers"