Hi,
I have set some custom DNS servers for my networks (LAN and WAN), installed adblock and luci-app-adblock, then I've noticed that domains were not being blocked on my devices, so I flagged Redirect all DNS queries from 'lan' zone to the local DNS resolver, applies to UDP and TCP protocol. (and left the default value for Local DNS Ports: 53 853 5353) and it started blocking domains. The only issues I have is with my Android phone where I set a private DNS dot-fi.blahdns.com, there is no internet connection and it seems to be an issue with DNS resolution.
When I enter the WiFi connection from Android device I see under DNS the 2 custom DNSes I set in the OpenWRT router!
Any idea?
Thanks
if this is when you're not using your LANs wifi, how is it an openwrt issue ?
if I uncheck Redirect all DNS queries from 'lan' zone to the local DNS resolver, applies to UDP and TCP protocol. the Android device connection works fine.
The issue happens when the Android device is connected to the OpenWRT wifi of course, the only difference is when also using private DNS on Android
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
Filter the relevant hosts/ports for DoH/DoT.
This typically makes encrypted DNS failover to plain DNS that can be easily intercepted.
I added that Firewall rule but it did not change the result, here are my firewall rules:
config redirect
option dest_port '53'
option name 'Force DNS'
option src_dport '53'
option target 'DNAT'
option dest 'lan'
option src 'lan'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect
option target 'DNAT'
option src 'lan'
option name 'Intercept-DNS'
option src_dport '53'
your wording, what does private mean in this case ...
well yes,
but private in what way ? private as in encrypting, or private as in yours (and encrypting) ?
I guess it's https://blahdns.com/
In that case, try pinging dot-fi.blahdns.com from any client on your network ...
PING dot-fi.blahdns.com (95.216.212.177) 56(84) bytes of data.
64 bytes from fi1.blahdns.com (95.216.212.177): icmp_seq=1 ttl=50 time=60.9 ms
64 bytes from fi1.blahdns.com (95.216.212.177): icmp_seq=2 ttl=50 time=59.5 ms
64 bytes from fi1.blahdns.com (95.216.212.177): icmp_seq=3 ttl=50 time=59.9 ms
from other devices on the network, while from the Android phone I can only ping the IP, not the domain
In that case there's something weird with the initial name resolution for your Android device.
Seems it doesn't pick up your local (I would assume) DNS, like the other clients do.
yes, it's weird because if I unset the Private DNS the Android device does pick the local DNS and works.
The DNS hijacking that @vgaetera suggested might make sense, but I'm not sure about it and if I'm implementing the right way or I need more steps!
What you could do is to install DNSChanger on your phone, and set it to 95.216.212.177, then you will have the blocking no matter if you're home or not. It doesn't hijack hardcoded DNSes, which is used by some apps, that can only be done in the FW, and only while being on your local LAN.
For that you need the other app from the same creator, called Nebulo.
Not really a solution for your LAN issue, but it comes with a plus - the mobile network ad blocking.
1 Like
Thank you for your help, I think that I'm gonna use the DNSChanger for the moment, so that I'll have the adblocking 