Apple devices not using Unbound DNS

I followed the settings to set up Unbound with parallel dnsmasq here: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#parallel-dnsmasq

I also set up adblock-fast on my router.

When I visit https://dnsleaktest.com/ on my PC connected via ethernet as well as on my laptop connected over wifi, both show my DNS has been masked. However, when I visit it from an iPhone or iPad, both are leaking my DNS. Both devices also still have ads loading on websites. My iPhone has Private Relay disabled and Configure DNS set to automatic, which is showing my IPV4 and IPV6 DNS servers. I have tried both enabling and disabling Private WiFi Address and Limit IP Address Tracking under the wifi settings, but neither seems to affect the results.

Any ideas why my unbound + adblock setup work on my other wireless devices but not on my Apple ones?

Disable cellular-wireless/data and run the tests again.

It still leaks when disabling cellular on my iPhone, and my iPad does not have cellular activated at all.

Try this:
Settings/cellular/ scroll to close to the bottom and toggle off wi-fi assist.

Then test again

It's still leaking after disabling wifi assist unfortunately.

It's worth mentioning that I enabled Force Router DNS to enable DNS Hijacking in the adblock-fast settings and set DNS Service to unbound adblock list, so I thought that would ultimately cause everything connected to my router to use it. I also set DHCP Options to option:dns-server,0.0.0.0 on my lan interface and disabled Use DNS servers advertised by peer on my wan and wan6 interfaces.

Probably need to block the two Apple canary domains.

Okay, let's see who it is leaking to:
go here and snip the results.

Scratch out your public ip address at the top.

I use Pi-hole so I don't pay attention to who is blacklisted but a common list blocks my Apple devices and all I see is Cloudflare.

The two mentioned in the other thread, are actually blocked by pihole by default, even if you don't have any block lists set up.

I have to run to the Doctor's so my time in the thread is done.

I had been running PiHole just fine. Maybe I'll switch back to that...

In the meantime, manually adding those apple domains to adblock still doesn't work. The DNS leak test shows two servers for my ISP whereas on my non-Apple devices it shows it's not leaking. Anything specific I should be looking at in the results there?

Even after switching back to pihole, I am still seeing my DNS leaking in Safari on my iPhone and iPad. Apple appears to be overriding my settings somewhere.

Are you perhaps using iCloud Private Relay? Check in iCloud settings. After turning it off, you might need to turn off and on again wifi and airplane mode to see the difference. The 2 domains mentioned earlier are supposed to disable this feature for your network, but it might be your devices didn’t notice for some reason.

I have it disabled and every other Apple networking feature as far as I can tell. The wifi shows the correct dns server, but it doesn't appear to be using it from safari. Instead it uses my ISP's.

Maybe your ISP is hijacking DNS requests? But that would be weird that they only do it for certain clients.

Are you sure you don’t have any firewall port forwards?

You probably need to use banip and block all public dns (theres a drop-down list). Think Apple uses doh so u can’t really enforce your own dns without blocking the doh server itseld. (Think this is the case for Google Chrome too).

I set up a port forward rule to route everything from port 53 to to my pihole. It works on every wireless device I own that isn't made by apple.

I set up banip and used the doh list, but it still isn't working. I'm chalking this up as a bigger issue tied to the thread @frollic linked to above.

Ok it was worth a shot. I can confirm it does block apples dns using dnsmasq.

That isn't my experience with Apple devices. Apple doesn't enforce their own DNS. But DNS config is messy. I think the order of precedence is:

1. iCloud Private Relay has its own DNS when enabled. Switch to off.
2. DoH is used when set manually by installing a special profile (Settings -> General -> VPN & Device Management -> DNS) or enabled via apps like NextDNS or 1.1.1.1, which are visible together with profiles. Switch to Automatic.
3. Manual oldschool DNS in Settings -> WiFi -> your SSID (i) icon -> Configure DNS). Switch to Automatic.
4. DNS obtained from DHCP (option 6).
5. Gateway aka router is assumed to provide DNS.
   Bonus point: when WiFi "doesn't have internet access", cellular connection could be used, so disable Settings -> Cellular -> (scroll almost to the bottom) -> Wi-Fi Assist. Turn off.