[jimsmart]

> That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.

That's the first time such a thing has been mentioned in this thread.

But I now get what you're trying to say in your comment above.

Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.

But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.

And of course it wouldn't work if the device is using DoH.

But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.

[master_crab]

The question and assessment is around how your dhcp device can control DNS behavior (usually by broadcasting the name server IP). And I pointed out many devices that do DHCP often also act as the gateway device and internal firewall.

It’s not meant to answer your direct question, but pointing out what’s possible. Because yes, there are a lot of IoT and other devices that misbehave on a network.

And it’s incredibly trivial to port ban or port forward a selection of IPs and not affect the behavior of your Pi-hole. Packets carry last hop ip and source ip. I do it all the time on my gateway device.

DoH is a completely different story. Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.

[jimsmart]

> DoH is a completely different story.

Yes. And that's why, in the context of misbehaving devices, carrying their own methods of doing DNS, I mentioned it.

> Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.

No, not at all. Anything can use DoH. Doesn't need to be browser-based, nor using Apple private relay, nor anything of the kind. A device simply needs to be coded to make its DNS queries over HTTP. In a similar fashion to how it might have a hard-coded value for its DNS lookups, the developer can simply include a small library to do DoH instead. And that's not going to be so easily filterable by a rule for outgoing traffic / port forwarding.

I have all of my PiHole DNS lookups going over DoH. Have done for years now. Because when I originally setup my secure DNS, DoH was a better choice that DoT, because DoT was very much still in flux. And by comparison, DNS over an existing standardised transport is pretty much a known quantity. So that was my choice. And it works great.

So all of my network's DNS lookup go out over DoH... there's lots of DNS providers that provide DoH nowadays, including plenty of very big providers. My secure DNS proxy cycles between different servers.

DoH functionality is even just built-in to Bind these days.

In reality, DoH isn't in any way restricted just to the services you describe here. Far from it. It can be used anywhere. It's just a protocol. With plenty of destination endpoint support, out there in the real-world.

And if some device wants to control its DNS to that kind of level, then, beyond simply having a hard-coded DNS server value, using DoH is pretty easy.

No browsers needed, no Apple Private Relay needed.