hello,
was anyone successful in such a setup, ie i need to force android devices to use my private / local DNS server.
thanks!
For DoT you can just block outgoing traffic to port 853. For DoH you need to find a list of domains/IP-addresses to block, like e.g. one of the many mentioned in this Reddit-thread.
Just as it was explained in your old thread...
seems no luck
loaded with that list https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt
- command
root@OpenWrt-main-router:~# iptables -I output_rule 1 -p tcp --dport 853 -j REJECT
executed
No luck with what?
DNS uses UDP by default, not TCP. For best results, it'd be best to block both UDP and TCP.
1 Like
added command
iptables -I output_rule 1 -p udp --dport 853 -j REJECT
do i need to commit something?
still nothing changed... ;/
banip installed, ip list loaded,
iptables rejected DNS tcp/udp ports...
app still cant access host... apparently still reaching some doh / dot not local DNS
Install some ping app, see what IP you get back when you try to ping your host name.
i did that long time ago... and ping app crashed all the time
now it says
unknown host
when i execute ping from main router ... its resolved to local IP , which is fine.
does pinging some other random host on internet work ?
yeah all other hosts work fine.
maybe HAIR pinning has to be set somehow .. i dont know.
anyone any idea here?: ((
i think that app works similarly as plex
so it has something with domain rebinding .. no clue .
at the moment phone is still asking google?
root@OpenWrt-main-router:~# tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
19:02:14.127844 IP 10.0.1.141.48202 > 10.0.1.1.53: 52513+ A? www.google.com. (32)
19:03:15.051827 IP 10.0.1.141.43110 > 10.0.1.1.53: 52709+ A? www.google.com. (32)
before it was like that
tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
18:56:58.339401 IP 10.0.1.141.11391 > 10.0.1.1.53: 44756+ A? encrypted-tbn2.gstatic.com. (44)
18:56:58.339853 IP 10.0.1.141.23789 > 10.0.1.1.53: 7129+ A? encrypted-tbn0.gstatic.com. (44)
18:57:00.278451 IP 10.0.1.141.61352 > 10.0.1.1.53: 34248+ A? discover-pa.googleapis.com. (44)
well apparently ... most of the posts/solutions here are nonsense... as it doesnt work ...
Don't let the door hit you in the back, on your way out...
2 Likes
well maybe i have something completely wrong ...
i tried to replicate almost everything written here ... with no success ... so no clue 