i want to block ports 443(dns over HTTPS) for certain ip's, and port 853(DNS OVER TLS) for everything below is the screen shot of what i have tried to implement. Both of my settings dont seem to work.
I have tried using BANIP package aswell to block doh servers using ip black list, while it works well and i cannot ping the ip's over terminal,dns over https on those ip's is still unblocked and cloudflare's tools can still connect to 1.1.1.1 over https and tls.
since you're blocking IGMP, try pinging 1.1.1.1, does it work ?
you could also try to replace the protocols with Any.
i have tried the commands from the dns hijacking wiki, they have crashed my router always idk why. and the gui commands mentioned in dns hijacking dont work for dns over https which runs on port 443. simply blocking port 443 should do the trick, has always worked on my pfsense boxes,tplink business series and cisco commercial firewalls.openwrt seems to ignore the blocks made via luci,even ban ip blacklists ip adresses are working over https idk why. Most probably cloudflare is using some different udp port.
works for me, but you probably want to add the ipv6 IPs to the rule.
root@OpenWrt:~# nslookup one.one.one.one
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: one.one.one.one
Address 1: 1.0.0.1
Address 2: 1.1.1.1
Address 3: 2606:4700:4700::1001
Address 4: 2606:4700:4700::1111
These rules are not enabled.
For DoH only TCP is needed and since you are blocking IPv4 addresses there is no need to expand to IPv6 family.
Same for DoT, only TCP is needed.
I didn't specify any ports in my rule, but who knows ...
if it doesn't work, you'll have to use tcpdump to see what it's actually doing.
yeah, i have even tried blocking the udp port warp uses, idk why it is still going through,tcpdump shall help. What is confusing to me is i am not able to ping 1.1.1.1 from the terminal,nor is cloudflare doh working through firefox.
The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow
zero-trust-client.cloudflareclient.comwhich will lookup the following IP addresses:
WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.
did block those,still works 
my lil brother is too smart has used warp before to bypass.
if you blocked everything in that link, it shouldn't even start.
Is your OpenWrt device acting as router?
ah now it is working, had accidentally kept UDP 500 to accept.what still works is 1.1.1.1 although not through firefox or through ping in cmd
well, you're only blocking TCP, ping is ICMP.
that's why I said you could put Any in the rule.
yes, it does has a ppoe connection.
now stuck on connecting
warps dead but normal 1.1.1.1 over https and TLS still works only through the cloudflare warp app though app dont know why.
if that's all you've got, you're now missing the old 1.1.1.1/1.0.0.1 + IPv6 rule.
i do have the other rules, firefox,normal pings etc are dead to all these, just the warp app 1.1.1.1 keeps on running even though i have added cloudflares ingress now. warp+/war vpn is officially dead aswell. just 1.1.1.1 is being a pia
Did you flush the conntrack table between your tests? You can do that by restarting (not reloading) the firewall service.
i did, plain DOH only through the warp app(no firefox,ping etc) still works,everything else is dead.
