So now is the time to start putting in a PiHole to control DNS access. All along I have been thinking of constraining the dns connections from the IOT equipment. There are times when equipment will attempt to get it’s DNS ip addresses through a hard coded IP address. What I want to do is force the DNS access through the PiHole and have the PiHole get its DNS addresses via DNSSEC to either 1.1.1.1 or 9.9.9.9. That way I have the PiHole restricting the trackers and the DNSSEC servers to provide restriction from known bad addresses, whether web or ip. Since I have moved the IOT equipment to one of the Edgerouter-Xs, I should be able to control the DNS access through some judicious ACL setups. Should be interesting.
First of all the PiHole is put into the IOT lan subnet, and the ER-X then uses the PiHole as both DHCP and DNS services. I will setup the ER-X to force any DNS service connections to go through the PiHole (https://community.ui.com/questions/Intercepting-and-Re-Directing-DNS-Queries/cd0a248d-ca54-4d16-84c6-a5ade3dc3272 and https://benninger.ca/posts/force-dns-go-through-pihole/ and https://www.myhelpfulguides.com/2018/07/30/redirect-hard-coded-dns-to-pi-hole-using-edgerouter-x/ ). Since I know all of the equipment in my network, including the IOT network, I will force IP addresses where I want them through Static assignment (TBD). In addition, I am going to restrict Bonjour access throughout the ER-X lan subnet (TBD). I will of course restrict changes to the ER-X through my Admin vlan and not through the IOT vlan (TBD). Anyway that is the idea at the moment. Time will tell how well this works.