Some workplaces are aggressive about dns. They want you to use their dns, and they do so blocking your 53 port. If you are thinking about a VPN, that's not so simple: their dns is needed to comfortably use the intranet. So how to deal with it?
First part of the solution is using dns-over-https. Since https is basically never blocked, you can use it to bypass port blocking.
Second part of the solution is having a local resolver that can determine which dns server to use: on *.mycorp.com I want to use the local DNS. I prefer to use an upstream server for everything else.
What's a DoH stub? It's a dns server which resolves using dns over https. Basically it binds over port 53/udp and forwards to port 443
dnss is probably as good as any other stub, but it is packaged in ubuntu, so it is
easy to install
Run it and put it on port 5003
dnsmasq has exactly the feature we need: it can resolve addresses using the appropriate dns server based on the domain name only
Seems good, right? well, not exactly! In fact,
dnss will try to resolve
dns.google.com first (unless you configure it differently). That's a loophole!
We can escape the loophole improving our dnsmasq configuration: