Just an FYI.
I was using a Surf SOHO to watching the network activity of a Roku box that had not been used for days and I saw DNS access to 220.127.116.11. The Roku box only uses DHCP, yet the software on the box was specifically using Google for DNS, my router gives out another set of DNS servers via DHCP.
So, I wondered if any other LAN devices using DHCP were also bypassing the DNS servers I wanted them to use. I set an “allow” firewall rule to log all outbound access to 18.104.22.168 and 22.214.171.124. Sure enough, it found another device but which one?
The event log entry has an IP address but it was from a few days ago. I also log DNS server activity and that showed that the other device using Google DNS had just been assigned that IP address. This let me relate the IP from a few days ago to a MAC address. But the MAC address is not currently logged on, so which device was it?
WakeOnLAN keeps a list of LAN devices and shows both their user-friendly name and their MAC address. From that list I was able to tie the MAC address to the name I had given the device. It was an Android tablet.
Scary trend, DHCP devices using whatever server they want for DNS.
Next, I may trace all outgoing UDP port 53 requests to see if any other devices are not using the DNS servers that I want them to use. Or, I may block all outgoing access to Google’s DNS servers 126.96.36.199 and 188.8.131.52 and then see what, if anything, breaks.