Or is there any way to force every LAN and guest client to use DNS server defined in the router and not any other DNS server? Excluding clients using Wireguard.
In short I want to completely block access to any DNS for clients but to those set in the router, this doesn’t apply on clients using wireguard or openvpn of course.
DHCP, as typically configured, will set each client’s DNS to be that of the router. Static configuration can be set to point to the router.
As DHCP is a “suggestion” and any host can configure whatever DNS they want, including alternate ports or transport, at best you can make it “more challenging”.
Blocking forwarding of TCP and UDP with a destination port of 53 should still let your router contact upstream DNS, but discourage others from its use.
I followed it and connected Android TV with main WiFi SSID which uses wireguard and added TV’s MAC in VPN policies not to use VPN.
Issues with this scenario are:
1- If wiregaurd server is down I have no Internet on TV connected to main WiFi SSID.
2- If I don’t use static routes then I can’t use SmartDNS for Netflix.
3- If I add static routes again then Netflix app on TV gives me warning that I am using a proxy.
I do not have any of these issues when using ASUS AC3200 where I have added static routes and a custom DNS. I don’t know if this is possible in Openwrt.