What are you guys using for a router that you love?

[Nicklebon]

If you're just using PiHole to back this up, well, you're a bit incorrect. Quite a few devices have their own hardcoded DNS servers - regardless of what you setup or provide via DHCP.
To overcome that I block outgoing port 53 at my router. But obviously, in those cases, PiHole isn't ever seeing the traffic or client, so it won't report on it.

If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH live to be 200 years old and suffer the pain of shingles every day between now and then. ;>

 

[Eulogy]

If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through.

Yeah, and I do, though as you point out, it's not as sure-fire. Each device I've personally interrogated used port 53. I no longer have any of those kinds of devices, haven't for about 5-6 years now, so I'm not sure what more contemporary ones are using.

 

[Vermillion]

If you're just using PiHole to back this up, well, you're a bit incorrect. Quite a few devices have their own hardcoded DNS servers - regardless of what you setup or provide via DHCP.
To overcome that I block outgoing port 53 at my router. But obviously, in those cases, PiHole isn't ever seeing the traffic or client, so it won't report on it.

I did gloss over a bit. I do block all that. I've watched with things like Wireshark. Google home wouldn't work if it didn't have DNS unless they hardcoded IP addresses which doesn't seem practical at all. Plus they do show up in my Pi-hole.

The Google Home devices are quiet. Roku, Amazon, and Windows systems not locked down? No so much.

 

[OpenSource Ghost]

If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH live to be 200 years old and suffer the pain of shingles every day between now and then. ;>

With a proper router, you can create rules that allow DoT and/or DoQ and/or DNSCrypt outbound ports to access only certain IP addresses. You can't do much about DoH, but if you have IPS/IDS that gets regularly updated to block malicious IP, then I'd use that.

Some devices do indeed force whichever DNS they desire, regardless of on-device and DHCP settings. I have one Android device that keeps trying to use plaintext versions of DoH DNS addresses I use for Pi-Hole. Router DHCP and on-device DNS is set to local IP of my local private DNS server, which points to a set of very unique DoH server addresses. That Android device does use local IP of my DNS server, but it also tries to send packets directly to plaintext versions of those unique DoH DNS server addresses. The DoHJ addresses I use aren't typical Google, Cloudflare, AdGuard, etc. How would even learn that?

 

[Nicklebon]

With a proper router, you can create rules that allow DoT and/or DoQ and/or DNSCrypt outbound ports to access only certain IP addresses. You can't do much about DoH, but if you have IPS/IDS that gets regularly updated to block malicious IP, then I'd use that.

There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a secure network.

 

[waterbucket]

I’m using a Firewalla Gold as of the past few weeks. Works great and easy to configure. Was nervous at first but I’m satisfied with it. Was going to build my own pfsense box but glad I went with this. Using my old Asus AX86 routers as access points.