Preventing DNS leaks from network

saluki · January 9, 2025, 6:51pm

I’m interested in enforcing my router’s DNS settings on my network.

I have DoH enabled on the router, and most devices are sending their DNS queries to my router, allowing me to use the DoH server.

However, a few IoT devices are refusing to accept the DHCP DNS servers. I want to force them to either accept my DNS servers, or have no DNS resolution.

Would blocking outbound traffic to port 53 on my WAN interface be sufficient to achieve this, or are there additional steps/considerations I should have?

erlinden · January 9, 2025, 7:18pm

Block both 53 and 853, both UDP and TCP. Be aware that DoH won’t be blocked this way (but probably most IoT devices will only perform “normal” DNS requests).

In addition, you could also redirect all outbound DNS requests to your router DNS server (where you have to replace the IP address by your routers IP address):

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.69 protocol=udp src-address=!10.0.0.69 dst-address=!10.0.0.69 dst-port=53
add chain=dstnat action=dst-nat to-addresses=10.0.0.69 protocol=tcp src-address=!10.0.0.69 dst-address=!10.0.0.69 dst-port=53

saluki · January 9, 2025, 7:30pm

That seems to be working well, thank you for the advice!

saluki · January 10, 2025, 10:19am

And would I be correct in assuming that something similar is available for IPv6? It’s my understanding that IPv6 doesn’t use NAT, but I’d assume some kind of forwarding rule could be set.