"Private DNS Mode" on Android bypasses port forward DNS rules

[baz]

I have port forwarding rules that redirect any attempts to use external port 53 DNS resolvers to the local unbound. If I set a "Private DNS provider" on android, to, say, cloudflare, this bypasses the redirect. How can I also redirect port 853 encrypted DNS to the local resolver?

[tiermutter]

This option will cause the Android device to use DoT or DoH DNS.
These DNS requests will not use port 53 and your redirect rule will not be hit.

Instead the requests uses ports 443 (DoH) and 853 (DoT). However, you´ll not be able to redirect it, because 443 ist used by https too and redirecting 853 will cause the client to discard the answer from your own resolver.
Some devices/ Apps will fall back to normal DNS when DoT/853 ist generally blocked, some will just timeout.

I´m blocking 853, forcing the clients to fall back to normal DNS or to timeout. For DoH/443 I found some DNS server lists on github so that I can block all 443 requests to servers on this lists, which will cause the clients to fall back or timeout too. Not very nice, but the only way I found to block such requests when they are hardcoded.

[baz]

Thanks for a really nice answer 👍. So we're kind'of screwed in the long-run when it comes to blocking rogue devices? I guess it doesn't even have to be encrypted, they could simply hard-code a non-standard port to their custom servers.

In the same vein, I just finished setting up a nice structure of vlans: USERS, ADMINS, IoT, and whatnot. But for my TV, for example, I need to allow Netflix, and Netflix is a giant complicated network of changing IPs and ports for load-balancing and geo-coding and such, that is very difficult to isolate. So you end up having to open everything; same for pretty much any internet service, which renders the beautiful VLAN structure near useless. A couple of firewall rules could have achieved the same. It doesn't seem like we have the right tools in networking. We're fighting a losing battle.