- May 22, 2006
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH live to be 200 years old and suffer the pain of shingles every day between now and then. ;>If you're just using PiHole to back this up, well, you're a bit incorrect. Quite a few devices have their own hardcoded DNS servers - regardless of what you setup or provide via DHCP.
To overcome that I block outgoing port 53 at my router. But obviously, in those cases, PiHole isn't ever seeing the traffic or client, so it won't report on it.