Android private DNS blocking

Hi, all.

I've spent few days searching the internet.
I have samsung galaxy tablet with Android 10.
The problem is 2-fold.

  1. Android 10 itself uses DoT (DNS over TLS)
  2. Firefox on Android uses DoH (DNS over HTTPS)

Most information I could find is in this thread:

The thread points to Firefox implementation. However, firefox has a workaround - it's enough to add a single line to dnsmasq (server=/
This will be checked on firefox start and if present, the firefox will use local DNS.
So far so good.
The problem is - I cannot even get to that state as all my DNS queries are resolved by "private DNS" feature of android 10.
They are forwarded to google servers (!!!) - even when I block completely IPs and - google uses interesting tactics where the android contacts, asks for their resolvers and they come form addresses associated with
Problem is - blocking these IPs renders the tablet useless (no more google play).
I don't use google search nor other their service with the exception of play.

I installed juiceSSH and connected to local prompt.
I tried ping local addresses - all works OK.
When I tried to ping local computers using local names (such as ping 3dprinter.lan), the name could not be resolved.

Workaround was to use blokada and set the preferences for wifi networks to always use connection DNS - suddenly juiceSSH and firefox work all OK.

Is there a setting what I can modify in iptables/dnsmasq to ensure the stupid DoT will not be utilized somehow?
The original topic was closed before I could post the comment about firefox not being the problem here :frowning:

DNS over TLS uses port 853. You could try block outgoing on that and see if it falls back to local servers. Something along the lines of

iptables -I output_rule 1 -p tcp --dport 853 -j REJECT

This is one of my frustrations as well, as I find that android clients routinely ignore DNS servers pushed via DHCP. I have iptables rules that redirect all outgoing DNS not originating from my server to my openwrt's dnsmasq. I don't want to use anyone else's DNS.

1 Like

What the android devices are likely to do in this case, if you block port 853, is fall back to

So you'll need to redirect all outgoing DNS queries to your openwrt

I use the following firewall script to redirect dns. You can do this with rules in luci, but I tend to default to command line stuff. It's just a preference.

This script assumes that you have an internal DNS server on a different IP address to your openwrt. It will allow outgoing queries from the DNS server, but redirect everything else to dnsmasq on your openwrt. If you prefer, you could just redirect everything to the local DNS server.

I redirect to my openwrt for redundancy purposes: I have an internal DNS server as well as another recursive caching server running on a VM in a data centre over a wireguard connection. My openwrt queries both servers, so if I bounce my internal nameserver then my DNS queries still get resolved via my other server.

# Redirect dns queries to deal with android devices ignoring DHCP DNS settings

OPENWRTIPV4=$(uci get network.lan.ipaddr)
OPENWRTIPV6=$(ip address ls dev br-lan 2>/dev/null | grep global | sed -ne 's/ *inet6 \([^ \/]*\).* scope.*/\1/;T; p')

if [ ! -z "${SERVERIPV4}" ]; then

iptables -t nat -D prerouting_rule -i br-lan -s ${SERVERIPV4} -p udp --dport 53 -j RETURN 2> /dev/null
iptables -t nat -I prerouting_rule 1 -i br-lan -s ${SERVERIPV4} -p udp --dport 53 -j RETURN


if [ ! -z "${SERVERIPV6}" ]; then

ip6tables -t nat -D PREROUTING -i br-lan -s ${SERVERIPV6} -p udp --dport 53 -j RETURN 2> /dev/null
ip6tables -t nat -I PREROUTING 1 -i br-lan -s ${SERVERIPV6} -p udp --dport 53 -j RETURN


if [ ! -z "${OPENWRTIPV4}" ]; then

iptables -t nat -D prerouting_rule -i br-lan ! -d ${OPENWRTIPV4} -p udp --dport 53 -j DNAT --to-destination ${OPENWRTIPV4}:53 2> /dev/null
iptables -t nat -A prerouting_rule -i br-lan ! -d ${OPENWRTIPV4} -p udp --dport 53 -j DNAT --to-destination ${OPENWRTIPV4}:53


if [ ! -z "${OPENWRTIPV6}" ]; then

ip6tables -t nat -D PREROUTING -i br-lan ! -d ${OPENWRTIPV6} -p udp --dport 53 -j DNAT --to-destination [${OPENWRTIPV6}]:53 2> /dev/null
ip6tables -t nat -A PREROUTING -i br-lan ! -d ${OPENWRTIPV6} -p udp --dport 53 -j DNAT --to-destination [${OPENWRTIPV6}]:53


DoT can be disabled, and DoH in FF too, or just block the canary domain FF uses.


You can block DoH with banIP:


I want to block

set a fw rule redirecting or blocking calls for