I've just been reading a pragmatic but interesting article concerning good techniques to harden a home network, which, if you're interested, you can find here:

https://ben.balter.com/2020/12/04/over-engineered-home-network-for-privacy-and-security/

The author, Ben, uses a "UniFi Dream Machine" for his home router... and one of the security challenges he discusses in his article is that an increasing number of devices are now hard-coding DNS IP addresses in to their configurations, which means that a DNS sink like PiHole [which he also uses] can be circumvented. His solution to this is to block all outbound requests via TCP/53 [DNS]... Obviously that isn't perfect - to strengthen his approach further still he should also disable all outbound use of TCP/853 [which is DNS over TLS] but then open up that traffic from his local PiHole DNS.

Although I have some very trivial modifications to the base configuration of my Vigor2862, one of the features I've [intentionally] not customised has been the firewall.

But I'm very intrigued by this approach.

So I thought I would ask for some advice about a ruleset for the Draytek inbuilt firewall that might be able to achieve the desired result. I've had a look at the Firewall>>Filter Setup >> Edit Filter Set pages in my router... and I've reviewed this article : https://www.draytek.co.uk/support/guides/kb-vigor-filtering   in the Draytek Knowledgebase.

From what I've read it seems as though I should be able to set up a "Filter Set 3" [my 2862 already has rulesets 1 and 2 configured] dedicated to controlling access to remote DNS from my local network... Next, looking at the rule parameters that my 2862 employs, it seems as though a something similar to the following rules [using "TCP/53" and "TCP/853" for plaintext and TLS-encrypted DNS traffic, respectively, and noting that my home network is Class B, network address 172.16.0.0] might do the trick... [172.16.100.1 and 172.16.100.2 are my PiHole DNS Servers]

From: 172.16.100.1 to "Any" - Service Type "TCP/853" - Action - "Pass Immediately"
From: 172.16.100.2 to "Any" - Service Type "TCP/853" - Action - "Pass Immediately"
From: "Any" to "Any" - Service Type "TCP/53" - Action: "Block Immediately"
From: "Any" to "Any" - Service Type "TCP/853" - Action: "Block Immediately"

I'd be very grateful for any feedback or advice concerning either this approach in general and the more specific implementation that I've set out here. In particular, I'd like to understand how the rules engine parses the rules in a ruleset. I suspect - I don't know as I haven't yet found any documentation  covering this - that the firewall rule parser will start with "ruleset 1, rule 1" and work its way down the list until it gets a match, then when it finds a rule that matches its input pattern, the data is processed. If that is the case, then I will need to put my "allow" rules for my PiHole DNS before my "block" rules...

If this looks as though it might be a reasonable approach, then the only remaining task would be to modify my PiHole servers to use "cloudflared" DNS of HTTPS [DoH] instead of the plaintext port 53...

I'm completely inexperienced when it comes to using my router's firewall... and I don't really have any experience of setting up a firewall with specific filtering rules... so any general advice and/or Draytek specific suggestions would be most welcome.

Thanks in advance.