Dns over Https (DoH) not working

daniarla · February 7, 2022, 11:39pm

Hey! I followed the guide here:

But I'm not getting very far. My ISP recently blocked a site that i want to access and is hijacking my requests.
The page loads from my Firefox with DoH enabled, so it seems like a good solution globally.
The problem is that not matter what i do, I can not get the page to load from another browser/device.

This is my current configuration:

I have to add, that previously, I was using cloudflare as custom DNS resolver as my ISP advertised their custom DNS serves and I removed them in an effort to debug the situation. It didn't work.
What am I doing wrong ?

anon89577378 · February 8, 2022, 12:19am

DoH prevents ISPs from viewing DNS requests, but it doesn't totally prevent ISPs from tracking what you do.

Certain parts of HTTPS are not encrypted, such as SNI fields and OCSP connections

frollic · February 8, 2022, 6:01am

Does your clients know they're supposed to use your router as DNS, or are you intercepting the requests in the firewall?

daniarla · February 8, 2022, 8:01am

I know is not like total privacy like a vpn, but frankly, i don't care much I have never heard of anyone that got in trouble for visiting those sites.

Thanks for the heads up tho. I didn't know about the SNI fields of OCSP connections.

daniarla · February 8, 2022, 8:02am

I have never touched the firewall. And yes the devices have the router as the main and only dns device.

frollic · February 8, 2022, 8:07am

and if you do nslookup yourblockedsite.com localhost on the router ?

daniarla · February 8, 2022, 8:13am

I'm not at home rn but I'll try it when i get there.

daniarla · February 8, 2022, 3:32pm

Just got home!

root@OpenWrt:~# nslookup [site] localhost
Server:         localhost
Address:        ::1#53

Name:      [name]
Address 1: [ip1]
Address 2: [ip2]
*** Can't find [site]: No answer

And from my pc:

nslookup [name]
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:   [name]
Address:  [ip1]
Name:   [name]
Address:  [ip2]

Seems like it is using port 53 instead of the 5054 that DoH is runnig on.

What should I do?

Edit:

This is from the global dns settings

frollic · February 8, 2022, 3:49pm

by the looks of it, your dnsmasq isn't talking to the https-dns-proxy, or something's not up and running.

daniarla · February 8, 2022, 3:57pm

Tue Feb  8 16:53:40 2022 daemon.info dnsmasq[14669]: using nameserver 127.0.0.1#5053
Tue Feb  8 16:53:40 2022 daemon.info dnsmasq[14669]: using nameserver 127.0.0.1#5054

Its seems like its up and running and using the right servers but Its seems that it does not work anyway.

frollic · February 8, 2022, 4:01pm

this might be worth reading Questions about installing DNS over HTTPS with Dnsmasq and https-dns-proxy

daniarla · February 9, 2022, 8:32am

I read the entire thread and the only possibility that I can think of is that the router is using a cached dns? Idk if this makes sense. Is there a way to flush all cache? I a reboot enough ?

frollic · February 9, 2022, 8:36am

restart the service.

If I were you, I'd doublecheck the syntax, especially the port, for having dnsmasq connecting to the
upstream dns, in your case, the localhost https-to-dns proxy. I'm not sure it should be # 5053.

2nd thing would be to check if there's something listening on 5053.

Did you set up two proxies, since you configure two upstream 127.0.01 DNSes ?

But I don't use it myself, so I'm only guessing.

daniarla · February 9, 2022, 8:41am

Its is the default configuration applied automatically.

And dnsmask is using those servers.

And I reloaded the service already...

It is possible that something is forcing my clients to revert to plain DNS and I have to manually block it in firewall rule?

frollic · February 9, 2022, 8:48am

You're not using OpenDNS, I guess those defaults came with the package ...

Have you (re)started the https-dns-proxy service post install ?
Check if it's actually listening on port 5053...

DNS hijacking is possible, but it should still work from within the router.

Another option is to intercept (hijack) all outgoing UDP/TCP traffic on port 53,
and redirect it to port 5053, completely bypassing the dnsmasq.

daniarla · February 9, 2022, 8:53am

You're right, I forgot that I changed from GoogleDNS to OpenDNS as I dont like google very much...

Yep. A couple of times

How could I do that?

How could I do it?

frollic · February 9, 2022, 8:57am

Shouldn't really matter, tracking's done by cookies, not IPs.

Since they've removed telnet, try nc localhost 5053.

Don't, until we know it's actually working/running

daniarla · February 9, 2022, 3:57pm

I think you found the start of the problem, netcat returns a connection refused:

root@OpenWrt:~# nc localhost 5053
nc: can't connect to remote host: Connection refused

frollic · February 9, 2022, 4:02pm

in that case, is the https-dns-proxy enabled ?

if yes, ssh to the router, do a ps, to see if the process' running.

try doing /etc/init.d/https-dns-proxy restart
not sure of the name ----------^

try the nc afterwards.

it might be a race condition ...

daniarla · February 9, 2022, 4:09pm

I was already ssh'd in the router to run nc, I was not supposed to do it like that?