Devices bypassing firewall redirects to Adguard Home

I have a router that has adguard home installed, I have firewall rules setup to redirect all traffic to 192.168.1.1, if I set dns to 8.8.8.8, only some(very little) query logs show up in adguard.. everything works fine with dns set to 192.168.1.1. I have ipv6 disabled.

I am not quite sure what's happening, I guess its using DoH by default now and I need to start adding firewall rules to explicitly block DoH requests?

Here is my Firewall Config:-

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wwan'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option name 'Intercept-DNS-V4'
option src 'lan'
option proto 'tcp udp'
option src_ip '!192.168.1.1'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'

config zone
option name 'IoTZone'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'

config forwarding
option src 'GuestZone'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'IoTZone'

config rule
option name 'Guest-DHCP-DNS'
option family 'ipv4'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'

config nat
option name 'Masquerade-Intercepted-DNS'
option src 'lan'
option dest_ip '192.168.1.1'
option dest_port '53'
option proto 'tcp udp'
option target 'MASQUERADE'

config rule
option name 'Block-Private-DNS-DoT'
option src 'lan'
option dest 'wan'
option proto 'tcp udp'
option dest_port '853'
option target 'REJECT'

Hi frollic,

I believe this is already setup in my config, did I miss anything important?

Compare, let us know ?

You cannot block DOH in a simple way like you can block DOT and DNS53.

You can use a package like BanIP to block all known DOH servers

I see, so 8.8.8.8 is using DoH these days automatically, just wanted confirmation for that, thanks a lot for that information, I will try BanIP and revert back, thanks for your help.

If you are using Chrome, Chrome will automatically switch to DoH when it detects the OS DNS resolver supports DoH.

Often you can configure your browser and/or OS to use what you want.
research Private DNS.

If you want to restrict internet to your family then they can undo it of course so blocking with e.g. BanIP is then the next step

All this is on the wiki page you didn't fully read.

I am not quite sure what's happening, I guess its using DoH by default now and I need to start adding firewall rules to explicitly block DoH requests?

Apologies if my question wasn't clear.

Issue is resolved, thanks @egc and @dave14305 for the clarification and pointers, it seems 8.8.8.8 is using DoH by default in some cases, upon more research I found out it might have something to do with Private DNS setting in Android..

Just leaving this comment here in case someone just wants to quickly resolve it.. but with doh being used everywhere now, banip setup might be a necessity when using adguard or pihole in the future, I guess too many people are using pihole or other alternatives; and companies aren't happy with their data collection being blocked.