Dns over Https (DoH) not working

Hey! I followed the guide here:

But I'm not getting very far. My ISP recently blocked a site that i want to access and is hijacking my requests.
The page loads from my Firefox with DoH enabled, so it seems like a good solution globally.
The problem is that not matter what i do, I can not get the page to load from another browser/device.

This is my current configuration:

I have to add, that previously, I was using cloudflare as custom DNS resolver as my ISP advertised their custom DNS serves and I removed them in an effort to debug the situation. It didn't work.
What am I doing wrong ?

DoH prevents ISPs from viewing DNS requests, but it doesn't totally prevent ISPs from tracking what you do.

Certain parts of HTTPS are not encrypted, such as SNI fields and OCSP connections

Does your clients know they're supposed to use your router as DNS, or are you intercepting the requests in the firewall?

I know is not like total privacy like a vpn, but frankly, i don't care much I have never heard of anyone that got in trouble for visiting those sites.

Thanks for the heads up tho. I didn't know about the SNI fields of OCSP connections.

I have never touched the firewall. And yes the devices have the router as the main and only dns device.

and if you do nslookup yourblockedsite.com localhost on the router ?

I'm not at home rn but I'll try it when i get there.

Just got home!

root@OpenWrt:~# nslookup [site] localhost
Server:         localhost
Address:        ::1#53

Name:      [name]
Address 1: [ip1]
Address 2: [ip2]
*** Can't find [site]: No answer

And from my pc:

nslookup [name]

Non-authoritative answer:
Name:   [name]
Address:  [ip1]
Name:   [name]
Address:  [ip2]

Seems like it is using port 53 instead of the 5054 that DoH is runnig on.

What should I do?


This is from the global dns settings

by the looks of it, your dnsmasq isn't talking to the https-dns-proxy, or something's not up and running.

Tue Feb  8 16:53:40 2022 daemon.info dnsmasq[14669]: using nameserver
Tue Feb  8 16:53:40 2022 daemon.info dnsmasq[14669]: using nameserver

Its seems like its up and running and using the right servers but Its seems that it does not work anyway.

this might be worth reading Questions about installing DNS over HTTPS with Dnsmasq and https-dns-proxy

1 Like

I read the entire thread and the only possibility that I can think of is that the router is using a cached dns? Idk if this makes sense. Is there a way to flush all cache? I a reboot enough ?

restart the service.

If I were you, I'd doublecheck the syntax, especially the port, for having dnsmasq connecting to the
upstream dns, in your case, the localhost https-to-dns proxy. I'm not sure it should be # 5053.

2nd thing would be to check if there's something listening on 5053.

Did you set up two proxies, since you configure two upstream 127.0.01 DNSes ?

But I don't use it myself, so I'm only guessing.

Its is the default configuration applied automatically.

And dnsmask is using those servers.

And I reloaded the service already...

It is possible that something is forcing my clients to revert to plain DNS and I have to manually block it in firewall rule?

You're not using OpenDNS, I guess those defaults came with the package ...

Have you (re)started the https-dns-proxy service post install ?
Check if it's actually listening on port 5053...

DNS hijacking is possible, but it should still work from within the router.

Another option is to intercept (hijack) all outgoing UDP/TCP traffic on port 53,
and redirect it to port 5053, completely bypassing the dnsmasq.

You're right, I forgot that I changed from GoogleDNS to OpenDNS as I dont like google very much...

Yep. A couple of times

How could I do that?

How could I do it?

Shouldn't really matter, tracking's done by cookies, not IPs.

Since they've removed telnet, try nc localhost 5053.

Don't, until we know it's actually working/running :wink:

I think you found the start of the problem, netcat returns a connection refused:

root@OpenWrt:~# nc localhost 5053
nc: can't connect to remote host: Connection refused

in that case, is the https-dns-proxy enabled ?

if yes, ssh to the router, do a ps, to see if the process' running.

try doing /etc/init.d/https-dns-proxy restart
not sure of the name ----------^

try the nc afterwards.

it might be a race condition ...

I was already ssh'd in the router to run nc, I was not supposed to do it like that?