Beside the normal LAN interface, I have created a separate Guest LAN interface to restrict management access to the router for connecting hosts. The Guest LAN creatoon required an additional firewall zone to allow forwarding to destination zone WAN and set 2 new traffic rules for DHCP (port 67) and DNS (port 53) for the guest lan interface.
I found the following short tutorial that explains the setup of DoH in OpenWRT:
However, I am wondering about the custom firewall rules that the author is adding to OpenWRT:
The OpenWRT Wiki documentation for DoH does not mention that the firewall rules need to be adjusted with the mentioned settings to get this setup working.
Are those custom firewall rules really required for correct DoH setup?
You need to back DNAT rule with ct status dnat accept which is done automatically if you set rule in fw4/fw3 via luci.
Those rules divert external DNS requests to your doh proxy. Could be (better) they divert to dnsmasq.
I used to use that rule on my openwrt router just to "hijack" dns requests.
On my 23.05.2 openwrt router using fw4 I have a single traffic rule that targets anything going to port 53/853 and diverts it to my upstream dns resolver (pihole) which then resolves all external dns traffic with doh. Then I am using banIP to target dns IPs (8.8.8.8 for example) to block those dns requests.
I am doing it this way to keep my openwrt router as the router/firewall/dhcp server for all the vlans and I have offloaded all external dns functions to the pihole. For me this is my preferred way to manage things.
Ok, so you're saying that these custom settings are in place as a "catch all" firewall rule to ensure that all DNS request on the entire network on port 53 are properly forwarded to the proxy and no user in the network, intentionally or not, can bypass those DNS redirection settings?
Because they're not necessary. HTTP-DNS-Proxy will, if you set the 'Force DNS' option, create the necessary rules. If you want to do it manually then follow the instructions on the DNS hijacking wiki page (which is linked to on the wiki page you mentioned in the first page).
I understand the rule on localhost IP on port 5053 and 5054, but I don't get where the mask icloud and use application dns entries are coming from or for what they are in place?
Also I am only able to use nslookup for a domain without the localhost option:
