ChatGPT tells me I can have the GL 300M V2 Mango prevent devices from bypassing my OpenDNS setup by doing the following:
Ensure 'Override DNS Settings for All Clients' is enabled in GL.iNet panel.
Which I did, and
For extra enforcement, add the following in LuCI (Advanced > Firewall > Custom Rules):
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 208.67.222.222
but when I go into LuCi, I am unable to find the (Advanced>Firewall>Custom Rules since it seems LuCi has gone through an update that does not have these tabs any more. Can anyone explain where I put this in?
By the way, I am doing this because I am having some Fire Tablets connecting to my GL Mango and these tablets not only display that they are using my OpenDNS DNS numbers but also decide to use 8.8.8.8 and I think these Fires are sidestepping the OpenDNS because of this. I think maybe putting the rules in LuCi may help.
I believe what is happening is that the Fire Tablets have ESET Security. Although a non security iPad connects and the GL-300M V2 Mango gives the iPad only the DNS the Mango assigns it, the Fire Tablets show that they are using the DNS supplied by the Mango but it also uses DNS 8.8.8.8, likely assigned by the ESET, which seems to override the Mango and allows all sites open. That is why I am exploring this LuCi override option.
It any of your devices turn on DNS over HTTPS (DoH), you are not going to block it with a GL iNet router. All my systems are set up to use DoH, as I don't want anyone redirecting my DNS traffic.
Some systems will automatically encrypt dns if the dns server support it. So 8.8.8.8 does support encrypted dns and the system may already encrypted it.
Encrypted DNS (in clients) cannot be intercepted or redirected on the router.
As the data packet has been encrypted and port 443, it means that it cannot be decrypted, and port 443 cannot be blocked at all on router. If it is blocked it, it may be inaccessible to all https websites.