Separate subnet for DNS (pros and cons discussion)

In general official OpenWRT guide (link) have following recommendations:

Block DoT

uci -q delete firewall.dot_fwd
uci set firewall.dot_fwd="rule"
uci set firewall.dot_fwd.name="Deny-DoT"
uci set firewall.dot_fwd.src="lan"
uci set firewall.dot_fwd.dest="wan"
uci set firewall.dot_fwd.dest_port="853"
uci set firewall.dot_fwd.proto="tcp udp"
uci set firewall.dot_fwd.target="REJECT"
uci commit firewall
service firewall restart

Redirect DNS

# Configure firewall
uci set firewall.dns_int.name="Redirect-DNS"
uci set firewall.dns_int.dest_ip="192.168.2.2"
uci commit firewall
service firewall restart
 
# Configure network
uci add_list network.lan.ipaddr="192.168.2.1/24"
uci commit network
service network restart

So the main discussion is:

  • If created separate subnet for DNS will it increase stability and security?
  • If DoT blocked on router, can I ensure that all DNS traffic resolved on router and router pass all traffic via Wireguard (to hide DND requests from ISP)
  • WebRTC under question. Should (and can it?) be blocked on router to prevent IP leak?

Generally I need clients to force use my DNS which will be resolved through VPN to avoid any information leak to ISP.

No
No, evil uses other ports.
No(No)

1 Like

Instead of resolving via VPN you can also use secure DNS (Dot/DoH/DoQ)

But you need to redirect the usual ports 53/5353/853 and you can use e.g. BanIP to use a blocklist for known DoH servers (which uses port 443 which you cannot block for obvious reasons)

How to use Adguard DoH/DoT? I don’t see any GUI where I can enter link. Only IP which is not DoH/DoT obviously

No idea I do not use Adguard, nice stuff but too bloated for me.

1 Like

I meant public DNS. Not private ones.

This ones

DNS-over-HTTPS

Default server
AdGuard DNS will block ads and trackers.
https://dns.adguard-dns.com/dns-query
Non-filtering server
AdGuard DNS will not block ads, trackers, or any other DNS requests.
https://unfiltered.adguard-dns.com/dns-query
Family protection server
AdGuard DNS will block ads, trackers, adult content, and enable Safe Search and Safe Mode, where possible.
https://family.adguard-dns.com/dns-query


DNS-over-TLS

Default server
AdGuard DNS will block ads and trackers.
tls://dns.adguard-dns.com
Non-filtering server
AdGuard DNS will not block ads, trackers, or any other DNS requests.
tls://unfiltered.adguard-dns.com
Family protection server
AdGuard DNS will block ads, trackers, adult content, and enable Safe Search and Safe Mode, where possible.
tls://family.adguard-dns.com

There's a package called HTTPS DNS proxy that easily allows you to use DoH servers. There is stubby for DoT, which is a little more tricky to use.

1 Like

And dnscrypt-proxy

And SmartDNS

1 Like