Re: It's been years since . . . .
I use a decent firewall/router on the inside and run all my LAN/Wi-fi DHCP from that, including the DNS.
Oh, but I also then VPN out to an external server most of the time as well. Many ways to skin this particular cat.