With the arrival of IoT (Internet of Things) we are introducing unknown hardware and software to our networks. Many obey the rules we submit them to (custom IP addresses, limited Internet access, specific DNS Servers etc). But there are also devices that use DNS, but have DNS servers hardcoded. Blocking these IP addresses may result in sketchy behavior.
I place all of those devices in a separate VLAN where they have limited connectivity, and where I block outgoing DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) and direct DNS access to the Internet. Everything is supposed to use my internal DNS services. For those devices that have DNS servers hardcoded I created some special NAT and firewall rules to force them to use my internal DNS services.
