Block DoH and DoT dns on Android using banip

hello,
was anyone successful in such a setup, ie i need to force android devices to use my private / local DNS server.

thanks!

For DoT you can just block outgoing traffic to port 853. For DoH you need to find a list of domains/IP-addresses to block, like e.g. one of the many mentioned in this Reddit-thread.

Just as it was explained in your old thread...

seems no luck

loaded with that list https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

  • command

root@OpenWrt-main-router:~# iptables -I output_rule 1 -p tcp --dport 853 -j REJECT
executed

No luck with what?

DNS uses UDP by default, not TCP. For best results, it'd be best to block both UDP and TCP.

1 Like

added command
iptables -I output_rule 1 -p udp --dport 853 -j REJECT

do i need to commit something?

still nothing changed... ;/

banip installed, ip list loaded,
iptables rejected DNS tcp/udp ports...

app still cant access host... apparently still reaching some doh / dot not local DNS

Install some ping app, see what IP you get back when you try to ping your host name.

i did that long time ago... and ping app crashed all the time
now it says
unknown host

when i execute ping from main router ... its resolved to local IP , which is fine.

does pinging some other random host on internet work ?

yeah all other hosts work fine.

maybe HAIR pinning has to be set somehow .. i dont know.

anyone any idea here?: ((

i think that app works similarly as plex

so it has something with domain rebinding .. no clue .

at the moment phone is still asking google?

root@OpenWrt-main-router:~# tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
19:02:14.127844 IP 10.0.1.141.48202 > 10.0.1.1.53: 52513+ A? www.google.com. (32)
19:03:15.051827 IP 10.0.1.141.43110 > 10.0.1.1.53: 52709+ A? www.google.com. (32)

before it was like that

 tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
18:56:58.339401 IP 10.0.1.141.11391 > 10.0.1.1.53: 44756+ A? encrypted-tbn2.gstatic.com. (44)
18:56:58.339853 IP 10.0.1.141.23789 > 10.0.1.1.53: 7129+ A? encrypted-tbn0.gstatic.com. (44)
18:57:00.278451 IP 10.0.1.141.61352 > 10.0.1.1.53: 34248+ A? discover-pa.googleapis.com. (44)

well apparently ... most of the posts/solutions here are nonsense... as it doesnt work ...

Don't let the door hit you in the back, on your way out...

2 Likes

well maybe i have something completely wrong ...
i tried to replicate almost everything written here ... with no success ... so no clue :frowning:

Blocking DoT is as simple as this. DoH is more complicated, but still can be blocked.

4 Likes