Be sure not to create an open resolver, something commonly used in DDoS attacks. https://serverfault.com/questions/573465/what-is-an-open-dns-resolver-and-how-can-i-protect-my-server-from-being-misused#573471

You're second point is a good one, but you absolutely can log the IP which requested robots.txt. That's just a standard part of any http server ever, no JavaScript needed.

Pretty good tool. I took the quiz out of curiosity, and the top result was my current distro

Here's the paper they linked to from the README: https://berty.tech/docs/protocol/

Rootless podman. The plan is to eventually move WG into a container once I get it working, but it's running on bare metal at the moment.

Look into Pi-hole. It's an easy-to-setup DNS server which can run on a Raspberry Pi (or a Linux desktop/server if you have one.) You can then set your devices' DNS servers to the local address where the Pi-hole is running. Since it would be running on your local network, any requests to it shouldn't go through your ISP in the first place. I'd still recommend getting your own router anyways because this kind of ISP fuckery is more common than you'd expect. Plus, your exact configurations follow you anywhere you move. If you do end up getting one, set the local DNS server in the DHCP settings of your router to avoid having to set it on each device.

I do see the request. I'm running it inside a container so all the clients show up as the container's hostname.

Nope. I can't ssh in either.

Just wanted to let you know I somewhat found a solution and edited my post to reflect that.

Didn't work, unfortunately. Same exact issues

I'll check it out. Thanks!

This makes perfect sense. Thank you!

Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.

No. I mean that my router doesn't forward requests for port 53 to my server. My server's firewall does allow access to port 53, and all my LAN devices are able to use it freely.

I am. Server IP is 192.168.1.xxx. DNS server is running on that machine. It already allows access from all interfaces. I just don't have port 53 natted from my router to avoid creating an open resolver.

Just one on the pihole box and using the local address of it for all LAN DNS.

It is in the DMZ. I also use the box for Jellyfin so I want it remotely accessible.

I just tried disabling it for a short while with the same result. It still gets blocked in the 10.14.0.* network.