I was reading about how IoT devices like TVs have hardcoded DNS and may ignore the router's DHCP, especially if the queries are encrypted with DoH/DoQ. This is news to me. Currently, I am using Adguard Home on the Flint 2. The upstream server is NextDNS. How do I ensure that all clients, IoT or not, will not ignore the Flint 2 and that I can prevent any attempt to bypass my DNS settings? I want all DNS queries to go through NextDNS.
Help?
There are plenty of posts in this forum explaining how to do so - or explaining why it won't work:
All in all, as long as you know which DNS server they will use, you can block the connection to this one. If you don't know it, you won't have any great options left.
Hello!
To stop IoT devices from bypassing your DNS setup, you need to enforce DNS redirection at the router level. On the Flint 2, configure firewall rules so all outbound DNS traffic (port 53) is redirected to AdGuard Home, and block or redirect encrypted DNS ports (443 for DoH, 853 for DoT, 8853 for DoQ) unless they go to NextDNS. Keep Flint 2 as the DHCP server so clients get its DNS IP, but even if devices ignore DHCP, the firewall rules will catch them. This way, every query—IoT or not—must pass through AdGuard Home and then NextDNS.
This is the response I'm looking for! How do I do that?
Is there any way to verify that my laptop, iPhone, and Xiaomi phone aren't bypassing NextDNS? I had no idea it was possible for IOT devices to even do that and now I want to go through everything and make sure no devices are not respecting my router.
Hi
You can enable the “Override DNS Settings of All Clients” option in Admin Panel - Network - DNS.
Once enabled, all clients' unencrypted DNS requests will be redirected to the router and forwarded to the specified upstream DNS (NextDNS in your case) based on your settings.
Please note, this does not apply to encrypted DNS (DoT/DoH/DoQ).
You can try following the steps of the post shared by Admon to block the corresponding encrypted DNS services and see if these applications/IoT devices will fallback to plain DNS for redirection.
(Note that if they don’t have a fallback mechanism to unencrypted DNS, they may not function properly.)
I don't know the IPs or the DNS servers they're using. I meant encrypted DNS like DoH. I would like to know the best way to block all unauthorized encrypted DNS queries from IoT devices.
The DoH protocol cannot be directly identified, so it can only be blocked based on IP address and port.
You can refer to the following guide and use luci-app-banip together with a DoH blocklist (as mentioned in the post shared by Admon) to block common DoH servers.
However, if an app or IoT device is using a server outside of those lists (such as a less common or self-hosted one), there may not be a reliable way to detect or block it.
Instead of doing the difficult part of identifying the DoH traffic, is there a way to force all traffic through NextDNS? A quick search on Google shows there are guides for other routers to do so. I had no idea it was even possible for devices to ignore the DHCP from the router. I thought everything was forced through the router. Are you not concerned about the implications of this and what mitigation strategy GL.iNet can come up with?
The main issue: DoH traffic is encrypted; that's why you can't force it to go somewhere else. DNS is unencrypted; that's why the router can hijack it.
Disabling or configuring DoH on each end device is the only true method to deal with it. Other approaches, such as blocking all DoH servers (which is useless because there may be an infinite number of them) or using deep packet inspection (which is not possible with a typical consumer router; it requires "better" hardware) are merely band-aid solutions.
In the near future™ it will be nearly impossible to hijack traffic. TLS v1.3 is specifically designed to be immune against such methods. If the end device wants to talk to the internet, it will do - as long as you don't block the whole connection or force the device (if the device allows it!) to use less secure methods, so you can hijack.
Ok, I had no idea, and this is worrying. What are the implications of IoT with hardcoded DNS servers? Is there legitimate privacy and security concerns?
I'm surprised this topic isn't discussed more often here. Does iOS, macOS, Android, Windows, and Linux have similar issues where some apps or system apps can secretly contact their servers by encrypting their DNS requests? If the future TLS standard is adopted, I'm assuming AdGuard Home with blocklists may become useless?
In terms of privacy and security, how does segmenting IoT devices from my phones and PCs help?
