Allow Android's Private DNS

I've recently purchased a D-Link DIR-878 and flashed it with OpenWRT 22.03.3. The only changes I've made wireless-related, so firewall, port forwards, installable modules and all the other settings should be unmodified.
My PC works fine, but my Android phone complains that it cannot use the Wi-Fi since it cannot reach the Private DNS I set it up to use. I've confronted this issue once before and it turned out that the router was blocking incoming connections on port 853 (that router did not have OpenWRT as the OS).
I assume the issue here is similar (i. e. blocked port) but I cannot figure out how to open it. I tried messing with the Port Forwarding and Traffic Rules in LuCI (shown below) but came up empty handed.

( is the Android phone)

I've seen people on here have the exact opposite of my issue, i. e. trying to prevent the Private DNS function from working, but I could not reverse my way through the answers to find a solution to mine.
Did anyone manage to get their Private DNS to work with OpenWRT? Thanks in advance for any answers. is Cloudflare, I would have expected it to try to reach

And I see no reason why would try to talk your phone.

Try disabling DoT on Android OS level, it's enabled by default, AFAIK.

I use DoH instead of DoT but ran into a similar issue. luci-app-https-dns-proxy has a default config that blocks all other DNS requests by forcing them through the DoH proxy by DNS high-jacking. The DoH app I am using has an option in the Luci interface to disable that function if you want to allow those DNS requests through. May want to look for that in your app.

I set it up to use as specified in the guide linked above. I assume it needs to establish a two-way connection with my phone but cannot get through.

Port 853 is not blocked in the default configuration. It is not necessary to open port 853 for incoming traffic, as secure DNS is a simple outgoing TCP connection.

Since secure DNS servers are configured by name, a catch-22 exists.The phone needs access to a regular DNS to make the initial connection to the secure DNS server before it can use secure DNS.

1 Like

That's fine - the phone has access to a regular DNS, since when I switch off the Private DNS, it works as intended. This probably means that there is something blocking the connection from happening and I'm trying to figure out what. My bet so far was that port 853 was somehow blocked, but now that you say that it shouldn't be blocked by default I'm not sure what else to blame.

A bit of tcpdump magic would put the blame correctly :slight_smile:

tcpdump -vpni br-lan port 53 or port 853

(with the literal "or" in the middle and both ports mentioned - i.e. exactly as written). Paste the output while the phone is trying to use Private DNS and nothing else happens in the network.

Also, for comparison, from a different terminal:

tcpdump -vpni pppoe-wan port 53 or port 853

Adjust for the name of the WAN interface and paste the output also.


Just FYI - I actually have Androids and other devices configured for Cloudflare standard DNS, WARP, etc. They work as any other device on OpenWrt routers with default configs, etc. and just as any other DNS server configured in clients

BTW - they also have family-safe and malware-sanitized DNS servers too, adding those work as well.

:thinking: :bulb: What I do find interesting is this - the Android OS asks for the domain name instead of the IP. It's possible your ISP or carrier (or you) blocks the bootstrap query for the DNS server's IP.

Did a bit more digging and it looks like my ISP may indeed be blocking Cloudflare's DoT endpoints. I'll try to subvert this somehow but for now we can safely assume OpenWRT is not to blame here.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.