I am looking for ideas on how to detect (and eventually block) any client that is not using my home DNS. this includes clients that use plain DNS as well as DNS over TLS or HTTPS.
One solution I can think of would be to parse DNS and firewall logs to see which local host IP is not in DNS logs. Any other ideas/solutions?
do you want to see it, or force them to use your DNS ?
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
I'm aware of those solutions but was not aware of the docs so thanks for the link. Unfortunately local users and presumably rogue network devices are capable of using non standard ports and DNS forwarders on free VM instances for encrypted DNS so using banIP and blocking ports is no longer 100% effective.
Instead of blocking a moving target, I feel blocking clients that are not using assigned DNS is the only way, outside running everything through a MiTM proxy (which is also not optimal because Apple, Google and others don't like it).
Firewall logs only log when something is actually blocked by the firewall. So I don’t see how any dns traffic would show up on firewall logs?
Well usually these ideas sound good for the ones making the idea, and then they present the idea to the world.
So now I am looking at this and wondering why? What is the point of forcing everyone to use “my assigned DNS”?
And how much of your wakening time is meaningful to use to enforce this idea you have about DNS enforcement?
DNS is only a simple phonebook to get the IP address, nothing more and nothing less.
There is no security or privacy with DNS, because everyone see what IP address you use after the DNS call anyway.
And then we have this example, TP-link EAP business class AP, the NTP servers they are calling by default are pure IP addresses, TP-link equipment won’t even use a DNS service to look up the time because they already know where to call since they know the phone number already, then they don’t need a phonebook.
Certainly everyone is entitled to their opinion but why waste the time philosophizing in a technical forum of all places? To get back to the topic, you can add a rule to log all http/https traffic.
Currently I'm leaning towards a solution with nodogsplash or openNDS with embeded link that only works (resolves) and authorizes internet access when using my DNS server.