[caymanjim]

I don't want my browser ignoring my DNS settings. I went through a lot of effort to set up Pihole in front of a local BIND server with split-horizon DNS for my VPS subdomains and my local subdomains, with caching and control over upstream resolvers, routed through Wireguard to avoid ISP snooping/hijacking.

It's bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.

[ycombinatrix]

block all outgoing traffic to port 53 in your router. this catches everything using plaintext DNS or DoT.

[caymanjim]

This does nothing to stop anything intentionally circumventing your DNS settings. There's no reason DNS traffic has to be on port 53, and DoH is undetectable.

[ycombinatrix]

>This does nothing to stop anything intentionally circumventing your DNS settings.

It makes it substantially more difficult. My firewall statistics are proof of that. On a production network you'd have everything blocked.