yes, you were, just trying to make the instructions as clear as possible 
Great! But then it seems like the package is not working well.
root@OpenWrt:~# /etc/init.d/https-dns-proxy restart
Stopping https-dns-proxy 2021-11-22-1 ✓
Starting https-dns-proxy 2021-11-22-1 ✓✓
root@OpenWrt:~# nc 127.0.0.1 5053
nc: can't connect to remote host (127.0.0.1): Connection refused
It has the same output with localhost than with 127.0.0.1
ok, so it appears to start, do the ps, to be sure.
you might need to check what port it's actually listening to.
try nc to port 5054 too.
Well, another turn of events, seems like a netcat problem (?).
root@OpenWrt:~# netstat -tunlp | grep '5054'
udp 0 0 127.0.0.1:5054 0.0.0.0:* 21542/https-dns-pro
root@OpenWrt:~# netstat -tunlp | grep '5053'
udp 0 0 127.0.0.1:5053 0.0.0.0:* 21543/https-dns-pro
Also, netcat is refusing the connection and the thing is that netstat doesn't list it as listening like others, for example:
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 21503/dnsmasq
ah, UDP ... >face palm<
sorry.
ok, so it's there, then you could try to catch all outgoing calls and redirect them to the 5053 or 5054.
Okay, but it should forward it automatically. I don't seem to know why it doesn't want to work.
The only dns thing that I changed in the past, where the dns servers in the lan and wan interfaces.
How can I manually do it?
For anyone that stumbles with this post:
At the moment, I couldn't get DoH to work. The problem is that the router doesn't redirect the dns request from port 53 to 5054 despite being configured to do so:
You could do this manually in the firewall, but I don't have the knowledge to do it at the moment. If anyone gets DoH to work, let me know.
It happened to me when i builded an openwrt image whit https-dns-proxy already in.
Also it could be a corrupted dnsmasq installation.
So i can tell you, to 1st uninstall https-dns-proxy completely. reboot.
Then reinstall https-dns-proxy using the luci app, so it will install all dependencies.
Reboot.
See if it works now.
Dns hijack is for forcing dns on devices like smarthphone, that tend to have on android especially, a forced dns on google dns.
Also for vpn, if you want to try, you can use custom rules:
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
Put those in firewall>Custom rules.
Or in SSH uci:
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart
Or LuCI → Network → Firewall → Port Forwards
Click Add and specify:
Name: Intercept-DNS
Protocol: TCP, UDP
Source zone: lan
External port: 53
Destination zone: unspecified
Internal IP address: any
Internal port: any
Click Save, then Save & Apply.
Also, you don't have to redirect to https port, it just your dns requests goes through dnsmaqs.
But, if you want to try redirect port 53 to 5054 you can change in custom rule
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5054
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 5054
1 Like
Thanks for your help!
I did it through luci from the beginning.
I know, smartphones are a bit special, you have to change the dns manually or they keep using google despite having told otherwise. I found that this was more or lees fixed if they had 2 dns servers advertised by the dhcp server, but sometimes, even that fails.
I don't use a global vpn but I'll keep it in mind.
I will try to redirect the 53 port to the DoH ports as you pointed out.
The thing is, yesterday I was browsing the web in firefox where the first page that I specified earlier in the tread worked. Let's called site A. But I stumbled a 2nd website (B) that despite having DoH was blocked by my ISP. How is that possible? Can it be blocked in Cloudflare side? It failed with the same message that I get in site A if I don't have DoH enabled.
Maybe that's why the https-dns-proxy doesn't seem to work, but maybe it is?
Thats why you use google also, if you use only cloudflare, some webite doesnt work.
Also sometime i loose conectivity sometime when i load a website, then it start to load again.
So basically it's not advised to use only cloudflare.
played around with this for a bit, and "fixed" it, but not in the way it's supposed to be.
disabled dnsmasq, and reconfigured one of the https-dns-proxy to listen to the router br-lan IP (usually 192.168.1.1) on port 53, instead of 5053, and the 2nd entry can be set to listen to 127.0.0.1 port 53.
So indeed it its not working as it should be out of the box.
Is there any way to report the issue tho the packager/upstream?
You should have to disable dnsmasq to get that to work. Im using it for other purposes 
. That's why automatically configures (or at least try to, as we discover) dnsmasq to forward the requests.
Just installed latest openwrt 21.02.2, whit dnshttp proxy, worked out of the box.
but i can add something i found on the guide i have for https.
Anyway in 21.02.2 it works whitout modifyng anything, i just have dnsmasq full instead of normal dnsmasq.
All* you need to set in dnsmasq configuaration is the following:
uci set dhcp.@dnsmasq[0].noresolv='1'
uci add_list dhcp.@dnsmasq[0].server={proxy address}#{proxy port}
uci commit dhcp
*) you may need to configure an exception for your NTP domain so it will be resolved in the old fashioned way, bypassing the proxy.
1 Like