I've spent few days searching the internet.
I have samsung galaxy tablet with Android 10.
The problem is 2-fold.
Android 10 itself uses DoT (DNS over TLS)
Firefox on Android uses DoH (DNS over HTTPS)
Most information I could find is in this thread:
The thread points to Firefox implementation. However, firefox has a workaround - it's enough to add a single line to dnsmasq (server=/use-application-dns.net/).
This will be checked on firefox start and if present, the firefox will use local DNS.
So far so good.
The problem is - I cannot even get to that state as all my DNS queries are resolved by "private DNS" feature of android 10.
They are forwarded to google servers (!!!) - even when I block completely IPs 8.8.4.4 and 8.8.8.8 - google uses interesting tactics where the android contacts google.com, asks for their resolvers and they come form addresses associated with 1e100.net.
Problem is - blocking these IPs renders the tablet useless (no more google play).
I don't use google search nor other their service with the exception of play.
I installed juiceSSH and connected to local prompt.
I tried ping local addresses - all works OK.
When I tried to ping local computers using local names (such as ping 3dprinter.lan), the name could not be resolved.
Workaround was to use blokada and set the preferences for wifi networks to always use connection DNS - suddenly juiceSSH and firefox work all OK.
Is there a setting what I can modify in iptables/dnsmasq to ensure the stupid DoT will not be utilized somehow?
The original topic was closed before I could post the comment about firefox not being the problem here
This is one of my frustrations as well, as I find that android clients routinely ignore DNS servers pushed via DHCP. I have iptables rules that redirect all outgoing DNS not originating from my server to my openwrt's dnsmasq. I don't want to use anyone else's DNS.
What the android devices are likely to do in this case, if you block port 853, is fall back to 8.8.8.8.
So you'll need to redirect all outgoing DNS queries to your openwrt
I use the following firewall script to redirect dns. You can do this with rules in luci, but I tend to default to command line stuff. It's just a preference.
This script assumes that you have an internal DNS server on a different IP address to your openwrt. It will allow outgoing queries from the DNS server, but redirect everything else to dnsmasq on your openwrt. If you prefer, you could just redirect everything to the local DNS server.
I redirect to my openwrt for redundancy purposes: I have an internal DNS server as well as another recursive caching server running on a VM in a data centre over a wireguard connection. My openwrt queries both servers, so if I bounce my internal nameserver then my DNS queries still get resolved via my other server.
#!/bin/sh
# Redirect dns queries to deal with android devices ignoring DHCP DNS settings
IP=/sbin/ip
SERVERIPV4=192.168.1.2
SERVERIPV6=<prefix>::2
OPENWRTIPV4=$(uci get network.lan.ipaddr)
OPENWRTIPV6=$(ip address ls dev br-lan 2>/dev/null | grep global | sed -ne 's/ *inet6 \([^ \/]*\).* scope.*/\1/;T; p')
if [ ! -z "${SERVERIPV4}" ]; then
iptables -t nat -D prerouting_rule -i br-lan -s ${SERVERIPV4} -p udp --dport 53 -j RETURN 2> /dev/null
iptables -t nat -I prerouting_rule 1 -i br-lan -s ${SERVERIPV4} -p udp --dport 53 -j RETURN
fi
if [ ! -z "${SERVERIPV6}" ]; then
ip6tables -t nat -D PREROUTING -i br-lan -s ${SERVERIPV6} -p udp --dport 53 -j RETURN 2> /dev/null
ip6tables -t nat -I PREROUTING 1 -i br-lan -s ${SERVERIPV6} -p udp --dport 53 -j RETURN
fi
if [ ! -z "${OPENWRTIPV4}" ]; then
iptables -t nat -D prerouting_rule -i br-lan ! -d ${OPENWRTIPV4} -p udp --dport 53 -j DNAT --to-destination ${OPENWRTIPV4}:53 2> /dev/null
iptables -t nat -A prerouting_rule -i br-lan ! -d ${OPENWRTIPV4} -p udp --dport 53 -j DNAT --to-destination ${OPENWRTIPV4}:53
fi
if [ ! -z "${OPENWRTIPV6}" ]; then
ip6tables -t nat -D PREROUTING -i br-lan ! -d ${OPENWRTIPV6} -p udp --dport 53 -j DNAT --to-destination [${OPENWRTIPV6}]:53 2> /dev/null
ip6tables -t nat -A PREROUTING -i br-lan ! -d ${OPENWRTIPV6} -p udp --dport 53 -j DNAT --to-destination [${OPENWRTIPV6}]:53
fi
