English Forums > Tutorials and FAQs

HOWTO - Redirect all DNS Requests to Opnsense

<< < (17/17)

CJ:

--- Quote from: 9axqe on January 17, 2024, 06:16:55 pm ---Well, the reasoning is:

* if you are blocking port 53 outbound, it means you expect some devices to attempt to use external DNS.
* If a device is using and external DNS, it's either malicious or misconfigured.
* ergo, you are already planning for misconfigured devices
* Hence redirecting is the logical thing to do.
--- End quote ---

Being prepared for something attempting to use external DNS is different from expecting it.  So far the main offenders I've run into are IOT devices that have something like Google DNS hardcoded in addition to what is provided by DHCP.  My assumption is to reduce support load when used on misconfigured consumer networks.

IME, redirections cause problems troubleshooting when people forget or don't realize that a redirection is in place.  Since every device accepts the DNS provided by DHCP, I'd rather just block 53 and 853 so that I can easily tell if there's a problem and quickly handle it.


--- Quote from: 9axqe on January 17, 2024, 06:16:55 pm ---Additionally, I suspect some devices such as smart TVs to fallback to DNS over HTTPS/TLS/QUIC if they notice DNS to outside is being blocked. But I have never observed it, it's pure conjecture.

--- End quote ---

I've not run into this personally.  Firefox defaults to DoH but devices with blocked DNS just attempt more connections instead of switching to an alternative method. 

Navigation

[0] Message Index

[*] Previous page