Force exclusive DNS on all clients

Hi friends,

I have been running with Adguard and Unbound on the GL-X2000 for a week or two. I made a rule in the firewall as instructed here

config rule
  option dest 'wan'
  option dest_port '53 853 5353'
  option enabled '1'
  option family 'any'
  option name 'Block-Public-DNS'
  option proto 'tcpudp'
  option src 'lan'
  option target 'REJECT'

Works very well to force all DNS requests into Adguard and make every device exclusively use the DNS running on the device (unbound).

But I have realized that perhaps it is better to run Adguard and Unbound on a seperate server, and let the router focus on traffic

On this new server, everything works nice, except for the rule to force exclusive DNS. I am not seeing Chromecast anymore, for example. I’m sure it has hardcoded DNS.
So I was wondering if it was possible to make this same thing work, in some other way. I feel it might be doable, but I cannot figure out how.

Thanks in advance for any help.

DHCP is via this other server or your glinet device?

I am using DHCP via my glinet device.

Have found one way of doing it, that requires me to make a port forwarding rule for the IPs that I want to force. If I make a gereral rule like this, I am unable to browse the web.

Screenshot from 2026-01-31 06-54-201260×394 47.6 KB

Seems to be working for these two devices at least. But would be nice with a common rule.

Forward all dns queries to that server and block other dns queries on AGH on the server.

I am using the DNS for the AGH server in glinet menu.

Forwarding all DNS is a rule I can setup in LUCi? Will look into that. And blocking all other on AGH on my server, ok will try. Currently only the Unbound server is listed as DNS in AGH.

Thanks

Why not just enable the "Overwrite DNS for all clients" option inside the GL menu?

That option is only available when you activate AGH installed on the router.

No, it is also available in the plain DNS settings.

Is that the ‘Override DNS Settings of All Clients’ function.

Maybe I am just an idi%&# and can’t see it

Screenshot from 2026-01-31 18-32-00934×557 47.1 KB

Screenshot from 2026-01-31 18-32-14891×574 52.7 KB

Nope, this one: DNS - GL.iNet Router Docs 4

Hey,

Thanks a lot for answering and having patience with my lacking ability to make this work for all devices.

I tried everything in your link to see if it would work, and it did work for my TP device. It is now forced to go via Adguard Home on my Proxmox server.

Unfortunatly my two Chromecast devices just refuses to play ball with these general rules. I have no idea why. Maybe I am doing something wrong (very likely), or perhaps I should factory reset the router.
But the specific rules work, so that’s the way forward for me for now.

Thanks again for all the help.

Kind Regards

They use Google DNS hardcoded and mostly using DoH. No way to block it without a DPI firewall because it's just HTTPS traffic.

There are also ip block lists, my suggestion is to use something like banip it has a way to block a big list on DoH ips, there is still a loophole available once ip connectivity with DoH fails it falls back to traditional dns in where dns hijacking works again.

Currently that is how I work around the issue, besides blackholing 8.8.8.8 entirely.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.