Some devices ship with hard coded IP addresses for DNS resolvers (Chromecast uses Google Public DNS for example). Is there a practical way to require all LAN devices to use the Omnia’s resolver? I wish to restrict access to third-party DNS resolvers on my LAN.
In my case I’m running Pi-hole, a DNS ad blocker, in a LXC container for DNS lookups on my LAN. Everything should use only this for DNS lookups and I’m not sure of the best way to filter requests from LAN devices directly to IP addresses.
Blocking traffic to known resolvers such as 8.8.8.8 leaves the possibility that devices could use third party resolvers I do not know about. I could block outbound port 53 traffic, but I would have to add an exception for the PI-hole. Is there a superior way?
I’m not concerned about any devices that stop working as a result of this change, all LAN devices must use the DNS resolver I choose.
I had a situation where i wanted to do the same. Here was my working config:
config redirect
option name 'Override hardcoded DNS servers in IoT devices'
option src 'iot'
option proto 'tcpudp'
option src_dport '53'
option dest_ip '192.168.12.1'
option dest_port '53'
My advantage was that i had a different VLAN for my IoT devices, that you don’t seem to have. But i remember some years ago i tried to configure a transparent HTTP proxy, so that all HTTP traffic except from one device (the proxy host) was redirected to the proxy. I think there was an option where you could negate a dest_ip setting with the help of an exclamation mark. I do not know the actual syntax any more, but this can be googled, i think.
