I have setup openwrt with luci-doh so i can set doh in my router but after setting that up my mobile can't access Internet as i have manually set dot from settings (android 9 introduced this feature) when i switch back to automatic from custom in my phone or off that dot, i can have internet again so how to bypass this so my phone use dnsovertls and my other devices use that doh that i have set in router.
DoH and DoT should not conflict, as they are using different ports.
The only thing I can imagine is that you block DoT traffic to force DoH.
As there is no luci-doh package, which package did you install and what is the configuration?
I just mentioned luci doh just to say not the package
luci-app-https-dns-proxy
this is the package i have installed i have tested twice same issue. How can i solve this.
Have you implemented any firewall rules to enforce the usage of your own dns ?
nope nothing whatever was default i kept that way as i dont know most of them
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
uci export https-dns-proxy; netstat -lnp; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Wait i have to inatall that again as i have removed that package as internet was not working.
This should save you some time:
uci del_list https-dns-proxy.config.force_dns_port="853"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart
I have done both of this but still i can't use internet as i have set my personal dns in from device settings but if i remove the dns settings from my phone then i can use internet without issues.
Does the personal dns work if you disconnect from the wifi/lan ?
Yes. It works when i install luci dns http proxy and it automatically setup and both of my device stop dns i need to remove that personal dot to automatic on my phone and doing that it resolve the issue or i have to turnon mobile internet to get internet so i think turning on https proxy dns blocks tls port
i have tested with luci-nextdns but that does not have any issues like that.
issue was if i install doh and set up it blocked my device own private dns immediately and uninstalling that restore dns.
also if i put my device dns to dnsovertls to automatic or off it resolves and doh works on my device but i want my device to use dot what i have set already but doh will be used by other smart devices or tv and other products so if i set doh all device can use doh but at a cost of i cant use my own dot custom on my laptop or phone. how to resolve this. i have tested this on my both openwrt router and issue was same and i have tested twice now. i want to use doh so kindly help. i think you can also face the same issue if you have a android set your own dns(DoT) with adguard or nextdns and see you will not be able to use internet as it will block your dot so dns will be not reachable and btw i have tested that internet works if you do to ip instead of urls i will work
Can you help here @frollic
I can ssh into the router but installing doh makes my already setup dot unusable.
Excellent.
Then, are you able to complete the steps someone asked to assist you?
See:
# ubus call system board
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Xiaomi Mi Router 4A Gigabit Edition",
"board_name": "xiaomi,mi-router-4a-gigabit",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fde4:aa0b:e4ad::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Is there a reason you didn't provide the uci export https-dns-proxy
output?
Sorry i missed that.
...are you going to provide the output in order to assist you; or is your issue already solved?
Sure i am not in home right now i will sure.