Is there benefit to direct DoT and/or DoH connection compared to local DNS server?

O

OpenSource Ghost

Assume environment where all LAN/WLAN clients connect to local DNS server using plaintext UDP port 53, the local DNS server runs Pi-Hole that creates secure DoT and DoH connections to public resolvers such as Cloudflare.

If malicious traffic intercept happens on LAN/WLAN (not WAN), then would is it more secure for clients to directly connect to DoT and DoH DNS resolvers (bypassing local DNS server) ?
 
B

BlueLineSwinger

If there's something on your LAN that's intercepting DNS queries you're fucked no matter what.

Most likely, any such malicious process would be on the system(s) making the query, so whether the DNS resolver is local (e.g., a Pi-Hole+Unbound/Stubby for DoT/DoH) or directly to Cloudflare/Google/Quad9/etc. is irrelevant.
 
