If a Peplink router is using new DNS (DNS over HTTPS on the Network tab for the WAN), how does this impact domain name based firewall rules?
I assume that an old DNS request (UDP/port53) into the router from the LAN side will result in the domain-based Firewall rule being checked and, if the firewall rule allows, a new DNS request coming out the WAN port of the router. Fine.
But, what if a new DNS request (DoH or DoT) comes into the router from a LAN side client? My guess is that this can never trigger a domain-based firewall rule because the router never sees the domain name. True? After all, hiding the domain name is the whole idea of new DNS.
And . . What if the router is using DNS over HTTPS to Quad9 (for example) and a LAN side client makes a DoH or DoT request to Cloudflare (for example)? I assume the request goes to Cloudflare. Yes?
Put another way, the DNS over HTTPS config for the WAN, really only applies to old DNS requests. New DNS requests from LAN side clients are honored and not examined or intercepted. Yes?
Documentation needs to be brought up to speed as the world changes around us.