hello,
was anyone successful in such a setup, ie i need to force android devices to use my private / local DNS server.
thanks!
For DoT you can just block outgoing traffic to port 853. For DoH you need to find a list of domains/IP-addresses to block, like e.g. one of the many mentioned in this Reddit-thread.
Just as it was explained in your old thread...
seems no luck
loaded with that list https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt
- command
root@OpenWrt-main-router:~# iptables -I output_rule 1 -p tcp --dport 853 -j REJECT
executed
No luck with what?
DNS uses UDP by default, not TCP. For best results, it'd be best to block both UDP and TCP.
1 Like
added command
iptables -I output_rule 1 -p udp --dport 853 -j REJECT
do i need to commit something?
still nothing changed... ;/
banip installed, ip list loaded,
iptables rejected DNS tcp/udp ports...
app still cant access host... apparently still reaching some doh / dot not local DNS
Install some ping app, see what IP you get back when you try to ping your host name.
i did that long time ago... and ping app crashed all the time
now it says
unknown host
when i execute ping from main router ... its resolved to local IP , which is fine.
does pinging some other random host on internet work ?
yeah all other hosts work fine.
maybe HAIR pinning has to be set somehow .. i dont know.
anyone any idea here?: ((
i think that app works similarly as plex
so it has something with domain rebinding .. no clue .
at the moment phone is still asking google?
root@OpenWrt-main-router:~# tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
19:02:14.127844 IP 10.0.1.141.48202 > 10.0.1.1.53: 52513+ A? www.google.com. (32)
19:03:15.051827 IP 10.0.1.141.43110 > 10.0.1.1.53: 52709+ A? www.google.com. (32)
before it was like that
tcpdump -nn -i br-lan src host 10.0.1.141 and port 53 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
18:56:58.339401 IP 10.0.1.141.11391 > 10.0.1.1.53: 44756+ A? encrypted-tbn2.gstatic.com. (44)
18:56:58.339853 IP 10.0.1.141.23789 > 10.0.1.1.53: 7129+ A? encrypted-tbn0.gstatic.com. (44)
18:57:00.278451 IP 10.0.1.141.61352 > 10.0.1.1.53: 34248+ A? discover-pa.googleapis.com. (44)
well apparently ... most of the posts/solutions here are nonsense... as it doesnt work ...
Don't let the door hit you in the back, on your way out...
2 Likes
well maybe i have something completely wrong ...
i tried to replicate almost everything written here ... with no success ... so no clue 
Blocking DoT is as simple as this. DoH is more complicated, but still can be blocked.
5 Likes