I saw on the intercept_dns guide that is recommends to not use masquerading. The last section, #dns_redirection says
Avoid using Dnsmasq. Configure firewall to redirect DNS traffic to your local DNS server. Move the local DNS server to a separate subnet to avoid masquerading.
Why is that?
When I was using Adguard Home separately from OpenWrt, some devices required me to use masquerade. My assumption was these devices did not like the DNS IP that was separate from the IP of the router. I did not like this because the source IP would no longer show up on the Query logs of Adguard Home.
This line is what I am curious about
Move the local DNS server to a separate subnet to avoid masquerading.
Why is it recommended to move the DNS server to a separate subnet?