(no title)
rdslw | 3 years ago
1. have separate vlan (named vspy ;) for all the external devices like appletv etc
2. all traffic to internet dns ports (53, 853 etc) is completely blocked from this vlan
3. all trafic to ips list (using ipset matching for speed) containing manually curated few dozens of publicly known DoH servers (including 8.8.8.8 et. al) is completely blocked from this vlan
In other words: use my own dns server or go away.
all services works fine (apple,google, tv/movies streaming etc.) while being in this vlan, and I see "my" devices continuously hit the 2&3 bariers.
TheHappyOddish|3 years ago
My setup is similar (hairpin NAT for DNS to rewrite UDP 53 to my own server, seperate VLAN), but I also have squid set up (whitelist only) with TLS bumping, and have installed my root CA on the TV. The ipset method is good thinking, but you're playing cat and mouse.