DNS over HTTPs, Firewall and Private DNS

Lyceris-chan · March 17, 2023, 12:00am

Hey, I recently installed and configured OpenWrt, and I just wanted to make sure everything was set up correctly. Besides that, I am also wondering if it's possible to continue forcing my DNS settings without breaking Android's Private DNS feature. Currently, I have to toggle it every time I connect to my network.

The current network is set up like this: the OpenWrt router is connected from its WAN port to the ISP's modem's LAN port, and I made the following changes:

Changed the root password.
Changed the LAN IP to 192.168.2.1.
Configured the Wi-Fi names and passwords.
Installed https-dns-proxy.
Ran the following commands:

# This is to setup the https-dns-proxy package to use NextDNS

while uci -q delete https-dns-proxy.@https-dns-proxy[0]; do :; done
uci set https-dns-proxy.dns="https-dns-proxy"
uci set https-dns-proxy.dns.resolver_url="https://dns.nextdns.io/12345"
uci set https-dns-proxy.dns.listen_addr="127.0.0.1"
uci set https-dns-proxy.dns.listen_port="5053"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart

# Disable ra and dhcpv6 as mentioned here: https://forum.openwrt.org/t/daemon-warning-in-log/152406?u=lyceris-chan

uci set dhcp.lan.ra='disabled'
uci set dhcp.lan.dhcpv6='disabled'
uci commit dhcp
/etc/init.d/dnsmasq restart
/etc/init.d/odhcpd restart

Please note that "12345" is a placeholder value.

Please let me know if you have any additional recommendations or optimizations that I can make, and if there is anything I should change firewall-wise.

Also Private DNS uses NextDNS's DNS-over-TLS/QUIC while OpenWrt is configured to use DNS over HTTPS

Lastly, I am aware that we can update packages and software through LuCI. So, I was wondering if it's recommended to do that or if it's just asking for stuff to break.

Thank you in advance for your assistance!

frollic · March 17, 2023, 6:44am

No, what's why you need to disable it.
You could try to enforce your own dns, by blocking DoH and DoT in the firewall, but then the phone might complain instead.
Trial and error.

Depends on what you're after.

The 2nd option.

Chatmandu · March 17, 2023, 9:37am

I have my network configured with Adblock and also block DoH/DoT.

This forces all DNS requests to use my router and I don't need to toggle anything in Android. Phones automatically blocks adverts on all websites (e.g. Daily Mail).

Is that what you're seeking to achieve?

frollic · March 17, 2023, 9:58am

Do the phones complain about not being able to reach the "secure" DNSes ?

I'm asking, since I have all DoH/DoT turned off on my phone.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns I guess

Lyceris-chan · March 17, 2023, 10:29am

The second thing was mainly just on whether I missed something while configuring it which I should have changed.

dl12345 · March 17, 2023, 11:23am

My Android phone does not complain - I block DoH/DoT with banIP blocklists and redirect all DNS requests to my internal server using DNAT rules. I haven't seen my iPhone complain either.

frollic · March 17, 2023, 11:29am

thnx, good to know.

that means I could leave it on for my home lan, but it still wouldn't work on the road, unless I DoH and/or DoT enable my pi-holes.

Chatmandu · March 17, 2023, 12:03pm

that means I could leave it on for my home lan, but it still wouldn't work on the road, unless I DoH and/or DoT enable my pi-holes.

I have a Wireguard connection, back to my LAN, that I can enable when outside the house. This is quite handy because Adblock disables the paywalls on some news sites.

stangri · March 18, 2023, 7:42am

Your Android's private DNS should continue to function with https-dns-proxy running on your router.

I haven't used Android for a while, I believe on Pixel there were three options: on/off/auto, I wonder if in auto mode it's able to detect https-dns-proxy on your router and disable private DNS on Android.