Well, the real issue is DNS "leakage", because some (most?) browsers and lots of phone apps use their own resolvers, thus bypassing your advertised DNS resolver. My solution is on the router: I set up dnsmasq as my local resolver (with adblock and DNSSEC, stubby is my backend for DoT), don't even bother advertising it and then have three sets of firewall rules to make sure all hosts adhere to the One True DNS:
1) DNS redirect: All LAN device requests to WAN (or LAN) at port 53 are redirected to the router:53. 2) DoT block: All LAN devices attempting to access port 853 anywhere are blocked. 3) DoH block: All LAN devices that attempt to access port 443 on WAN are checked against a couple of sets of host IP addresses (one each for IPv4 and v6), and if the external host is a known-DoH resolver, the request is blocked. (I update nightly from https://github.com/dibdot/DoH-IP-blocklists ) When setting this up, I would watch tcpdump for various requests and convinced myself that I was catching 99% of everything, but I have not even tried to figure out DNS-over-QUIC and how it might be getting past my rules. #1 means that if I go to any machine in the house and say 'nslookup blarg.com 8.8.8.8' or 'dig @8.8.8.8 blarg.com', then I see my router as the DNS resolver in the response, even though I explicitly asked for 8.8.8.8 to resolve it. Which in turn means that DNS configuration on a per-machine is not required, and anyone connecting to my network is subject to my rules. #3 causes some browsers to hang because they really, really want to use DoH. Usually there is a browser setting to disable DoH, so it resorts to plain DNS (at least there is in Firefox, which is what I make everyone here use; yeah, I'm dictator :) ). On Sun, Dec 18, 2022 at 9:57 AM Michael Smith <mich...@kmaclub.com> wrote: > I am not aware of a way, but hopefully someone else has ideas. > > I run two instances of pihole. One for the grown ups that points upstream > to 1.1.1.1 and the other points to 1.1.1.3. > > Then I use similar stanzas below to point the clients to the right pihole > > Michael > > On Dec 18, 2022, at 9:10 AM, Jonathan Stafford <thecabi...@gmail.com> > wrote: > > > Thanks, Michael. That will work to get them using that server, but it's > totally bypassing dnsmasq which means my local entries from /etc/hosts > don't resolve. I'd like both things to work to be difficult :) > > On Sun, Dec 18, 2022 at 10:36 AM Michael Smith <mich...@kmaclub.com> > wrote: > >> On 12/18/22 06:59, Jonathan Stafford wrote: >> >> --server provides a way to change upstream resolvers based on the domain >> being queried. Is there a way to make the same sort of change based on the >> client doing the querying? For example, I'd like the IP address range I >> use for my kids' devices to use 1.1.1.3. >> >> >> You can achieve this using tags: >> >> >> >> # Define DNS servers >> dhcp-option=option:dns-server,1.1.1.1 >> dhcp-option=tag:kidsdevices,option:dns-server,1.1.1.3 >> >> >> dhcp-host=0c:51:01:95:d3:36,set:kidsdevices # Ipad >> dhcp-host=58:41:4E:CD:D2:0A,set:kidsdevices # Iphone >> >> >> Michael >> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >> > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
