Questions on DNS and domain name based firewall rules

If a Peplink router is using new DNS (DNS over HTTPS on the Network tab for the WAN), how does this impact domain name based firewall rules?

I assume that an old DNS request (UDP/port53) into the router from the LAN side will result in the domain-based Firewall rule being checked and, if the firewall rule allows, a new DNS request coming out the WAN port of the router. Fine.

But, what if a new DNS request (DoH or DoT) comes into the router from a LAN side client? My guess is that this can never trigger a domain-based firewall rule because the router never sees the domain name. True? After all, hiding the domain name is the whole idea of new DNS.

And . . What if the router is using DNS over HTTPS to Quad9 (for example) and a LAN side client makes a DoH or DoT request to Cloudflare (for example)? I assume the request goes to Cloudflare. Yes?

Put another way, the DNS over HTTPS config for the WAN, really only applies to old DNS requests. New DNS requests from LAN side clients are honored and not examined or intercepted. Yes?

Documentation needs to be brought up to speed as the world changes around us.

2 Likes

I hadn’t thought about this enough, but what you say above seems to be the only way this could actually work, including for content blocking rules. I guess one could force clients to go through the legacy DNS protocols (and thus go through the domain based filtering rules) by blocking DoH from specific LANs at the Firewall. If the router is itself configured to use DoH on the WAN, then privacy outside of the organization is still maintained.