[Dahoon]

>I'm lucky enough to be able to direct ALL DNS through my router first

Even DNS over HTTPS? Do you do packet inspection? Just blocking ports doesn't do much any more. I run an IDS/IPS and it blocks lots of DoH to Google. Apple devices are even worse.

[sbarre]

Would you mind sharing a bit more detail on your setup?

[low_key]

I'm not sure what the commenter's setup is, but I have one that (at least mostly) achieves the same thing. It is a combination of a few things:

1. Redirect all outbound DNS traffic to your own local DNS server (as described in the link in this post) 2. Return NXDOMAIN for well-known DoH domains [1] (as well as "use-application-dns.net" for well-behaving software like Firefox [2]) 3. Block traffic to well-known DoH providers by destination IP address [1]

[1] https://github.com/bambenek/block-doh [2] https://support.mozilla.org/en-US/kb/configuring-networks-di...

[bitlevel]

Yep, pretty much the above - I have a combination of rules that control all traffic. Only the router is allowed to use port 53 outbound - all other traffic is redirected using NAT to the router's DNS server.

I mentioned Mikrotik previously - I use them myself.

[ianai]

I’m interested too.

[bitlevel]

Not DNS over HTTPS currently, although investigating a way to MitM the connections with a proxy.