Hey! I followed the guide here:
But I'm not getting very far. My ISP recently blocked a site that i want to access and is hijacking my requests.
The page loads from my Firefox with DoH enabled, so it seems like a good solution globally.
The problem is that not matter what i do, I can not get the page to load from another browser/device.
This is my current configuration:
I have to add, that previously, I was using cloudflare as custom DNS resolver as my ISP advertised their custom DNS serves and I removed them in an effort to debug the situation. It didn't work.
What am I doing wrong ?
DoH prevents ISPs from viewing DNS requests, but it doesn't totally prevent ISPs from tracking what you do.
Certain parts of HTTPS are not encrypted, such as
SNI fields and OCSP connections
Does your clients know they're supposed to use your router as DNS, or are you intercepting the requests in the firewall?
I know is not like total privacy like a vpn, but frankly, i don't care much I have never heard of anyone that got in trouble for visiting those sites.
Thanks for the heads up tho. I didn't know about the SNI fields of OCSP connections.
I have never touched the firewall. And yes the devices have the router as the main and only dns device.
and if you do
nslookup yourblockedsite.com localhost on the router ?
I'm not at home rn but I'll try it when i get there.
Just got home!
root@OpenWrt:~# nslookup [site] localhost
Address 1: [ip1]
Address 2: [ip2]
*** Can't find [site]: No answer
And from my pc:
Seems like it is using port 53 instead of the 5054 that DoH is runnig on.
What should I do?
This is from the global dns settings
by the looks of it, your dnsmasq isn't talking to the https-dns-proxy, or something's not up and running.
Tue Feb 8 16:53:40 2022 daemon.info dnsmasq: using nameserver 127.0.0.1#5053
Tue Feb 8 16:53:40 2022 daemon.info dnsmasq: using nameserver 127.0.0.1#5054
Its seems like its up and running and using the right servers but Its seems that it does not work anyway.
I read the entire thread and the only possibility that I can think of is that the router is using a cached dns? Idk if this makes sense. Is there a way to flush all cache? I a reboot enough ?
restart the service.
If I were you, I'd doublecheck the syntax, especially the port, for having dnsmasq connecting to the
upstream dns, in your case, the localhost https-to-dns proxy. I'm not sure it should be # 5053.
2nd thing would be to check if there's something listening on 5053.
Did you set up two proxies, since you configure two upstream 127.0.01 DNSes ?
But I don't use it myself, so I'm only guessing.
Its is the default configuration applied automatically.
And dnsmask is using those servers.
And I reloaded the service already...
It is possible that something is forcing my clients to revert to plain DNS and I have to manually block it in firewall rule?
You're not using OpenDNS, I guess those defaults came with the package ...
Have you (re)started the https-dns-proxy service post install ?
Check if it's actually listening on port 5053...
DNS hijacking is possible, but it should still work from within the router.
Another option is to intercept (hijack) all outgoing UDP/TCP traffic on port 53,
and redirect it to port 5053, completely bypassing the dnsmasq.
You're right, I forgot that I changed from GoogleDNS to OpenDNS as I dont like google very much...
Yep. A couple of times
How could I do that?
How could I do it?
Shouldn't really matter, tracking's done by cookies, not IPs.
How could I do that?
Since they've removed telnet, try
nc localhost 5053.
How could I do it?
Don't, until we know it's actually working/running
I think you found the start of the problem, netcat returns a connection refused:
root@OpenWrt:~# nc localhost 5053
nc: can't connect to remote host: Connection refused
in that case, is the https-dns-proxy enabled ?
if yes, ssh to the router, do a ps, to see if the process' running.
not sure of the name ----------^
try the nc afterwards.
it might be a race condition ...
I was already ssh'd in the router to run nc, I was not supposed to do it like that?