If you don’t want to run your own DNS server/Pi-hole, you might consider NextDNS.
Edit to add: A mobile app could theoretically be sneaky and route around your phone’s DNS settings, but I’ve never heard of that actually happening, so it’s not something I’d worry about.
Actually, there are some apps and even phone level things that do try to call to custom DNS, ignoring all the phone settings, including those defined in the global settings. Termux nslookup is one I can think of at the top of my head that ignores the phone's settings and instead tries to call to Google DNS. I've got DNS default blocked in a custom script for AFWall on my phone, excluding calling my custom DNS, and see the block frequently hit. Just now checking, I see 54 blocks on 8.8.8.8:53, 2 blocks on 1.1.1.1:53, and 16 on "other" port 53 (catch all block).
Think the best solution is either a router firewall setup if always on the wifi, or a phone firewall app that can act as a VPN and just default block everything, or something like that. If rooted, AFWall does wonders.
If you are just looking to repurpose an old device for around the house use and it won't ever be leaving your home network, then the simplest method is to set a static IP address on the device and leave the default gateway empty. That will prevent it from reaching anything other than the local subnet.
If you have multiple subnets that the device needs to access you will need a proper firewall. Make sure that the device has a DHCP reservation or a static IP and then block outgoing traffic to the WAN from that IP while still allowing traffic to your local subnets.
If it is a phone who knows what that modem might be doing if there isn't a hardware switch for it. You can't expect much privacy when that modem is active. But like the other poster mentiond a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren't smart enough to fall back to an IP address if DNS fails.
A VPN for your phone with firewall rules on your router that prevent your VPN clients from reaching the WAN would hopefully prevent any sort of fallback like that.
a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren’t smart enough to fall back to an IP address if DNS fails.
Yes, this. It's important that your local DNS server does not even forward queries from the isolated subnet to external DNS, because these queries (and responses) can contain information. ("DNS tunneling").
Yes, you need a firewall. Deny traffic to the internet, permit to your self hosted resources. If you intent to take this phone out of the house, you can configure always on VPN with tasker and wire guard.
If you're running an Android phone, there's RethinkDNS which can block every requests except those explicitly allowed by yourself on the DNS level and firewall your traffic based on your rules.
It's very customizable but It's not that easy to get it right. You can even hook up your own wireguard tunnel and add block lists similar to uBlock.
If you want to dig deeper into the DNS blocking you can have a look at PCAPdroid which allows you to peek into wich app does what on the DNS level. While it works without rooting your phone, if you want to use it in combination with your VPN, you need root access.
I have a DNS server running for my home lab with conditional forwarding from pihole. Then i only pass the internal DNS to a WLAN that doesn't need external access (locally controlled IoT devices for example).
So some WLAN devices just can't make any DNS requests that are outside your LAN, correct? But what if they use a hardcoded ip, wouldn't that circumvent everything?
Port 53 going to the internal dns? Nope? Drop! Same rule you would use everywhere else to push all dns to your preferred dns server.
Static routes are also a great way but I'm not familiar enough with your setup or static routes to explain. Pihole can also have groups which can apply different rules, lists etc.
I use the parental controls on the router to put the roomba in grounded-child mode.
That said, I'm not actually positive it works... it is able to connect to home assistant, so it definitely has local network connectivity, but I haven't proved to myself that it is actually unable to connect to its remote servers since it isn't really that big of a deal to me.