Assuming no use of DoH. I worry that increasingly devices on your home network will ignore the LAN recommendations for DNS server and be MUCH harder to block.
I log all attempts by devices on my network to port 53. Android apps, roku, google home devices, and various others are quite aggressive about going directly to various DNS servers if they don't get what they want from the local DNS server.
Using wireshark to track what's going on it's not unusual to see 7,000 DNS requests for a domain I'm blocking in just a few seconds. The android client for youtube seems to be particularly persistent.
Could you explain? I don't use dnsmasq, but I do use unbound. I do block outgoing port 53 (UDP and TCP) and force the use of my unbound server.
Quite a few apps and devices ignore the DNS recommendations provided by radvd (for ipv6) and dhcp (for IPv4).
That way I can block youtube, instagram, netflix, imgur, reddit, and similar services that my kids are addicted to if they are avoiding homework and the like.
How exactly does that "compromise DNS chain"? Unbound is DNSSEC aware, and talks to the same root servers that the ISP, google, opendns, or similar services would talk to.
I log all attempts by devices on my network to port 53. Android apps, roku, google home devices, and various others are quite aggressive about going directly to various DNS servers if they don't get what they want from the local DNS server.
Using wireshark to track what's going on it's not unusual to see 7,000 DNS requests for a domain I'm blocking in just a few seconds. The android client for youtube seems to be particularly persistent.