Pi-hole does not solve the problem completely unfortunately; it's fairly trivial to bypass network DNS. In theory any software could manually call one of the public DNS ip's or just have a fallback hardcoded list of IPs.
Nothing solves the problem completely. Redirecting DNS at the router to a blocking DNS server goes a long way, but DNS over HTTPS is a tougher nut to crack.
I block all dns outbound on my home network. My resolver uses DNS over https to Cloudflare. I consider any DNS / udp 53 traffic outbound unauthorized or a leak that should be prevented. If I see a beacon to a particular DNS server externally, I’ll create a NAT to point to my resolver so I can manipulate the answers, if I deem it necessary.
zbrozek|4 years ago
koprulusector|4 years ago
genewitch|4 years ago