What are you guys using for a router that you love?

Nicklebon

Gawd
Joined
May 22, 2006
Messages
840
If you're just using PiHole to back this up, well, you're a bit incorrect. Quite a few devices have their own hardcoded DNS servers - regardless of what you setup or provide via DHCP.
To overcome that I block outgoing port 53 at my router. But obviously, in those cases, PiHole isn't ever seeing the traffic or client, so it won't report on it.
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH live to be 200 years old and suffer the pain of shingles every day between now and then. ;>
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,710
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through.
Yeah, and I do, though as you point out, it's not as sure-fire. Each device I've personally interrogated used port 53. I no longer have any of those kinds of devices, haven't for about 5-6 years now, so I'm not sure what more contemporary ones are using.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
If you're just using PiHole to back this up, well, you're a bit incorrect. Quite a few devices have their own hardcoded DNS servers - regardless of what you setup or provide via DHCP.
To overcome that I block outgoing port 53 at my router. But obviously, in those cases, PiHole isn't ever seeing the traffic or client, so it won't report on it.
I did gloss over a bit. I do block all that. I've watched with things like Wireshark. Google home wouldn't work if it didn't have DNS unless they hardcoded IP addresses which doesn't seem practical at all. Plus they do show up in my Pi-hole.

The Google Home devices are quiet. Roku, Amazon, and Windows systems not locked down? No so much.
 
Joined
Feb 14, 2022
Messages
55
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH live to be 200 years old and suffer the pain of shingles every day between now and then. ;>

With a proper router, you can create rules that allow DoT and/or DoQ and/or DNSCrypt outbound ports to access only certain IP addresses. You can't do much about DoH, but if you have IPS/IDS that gets regularly updated to block malicious IP, then I'd use that.

Some devices do indeed force whichever DNS they desire, regardless of on-device and DHCP settings. I have one Android device that keeps trying to use plaintext versions of DoH DNS addresses I use for Pi-Hole. Router DHCP and on-device DNS is set to local IP of my local private DNS server, which points to a set of very unique DoH server addresses. That Android device does use local IP of my DNS server, but it also tries to send packets directly to plaintext versions of those unique DoH DNS server addresses. The DoHJ addresses I use aren't typical Google, Cloudflare, AdGuard, etc. How would even learn that?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
840
With a proper router, you can create rules that allow DoT and/or DoQ and/or DNSCrypt outbound ports to access only certain IP addresses. You can't do much about DoH, but if you have IPS/IDS that gets regularly updated to block malicious IP, then I'd use that.
There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a secure network.
 

waterbucket

Limp Gawd
Joined
Feb 10, 2018
Messages
179
I’m using a Firewalla Gold as of the past few weeks. Works great and easy to configure. Was nervous at first but I’m satisfied with it. Was going to build my own pfsense box but glad I went with this. Using my old Asus AX86 routers as access points.
 
Top