Doh and dot conflict

I have setup openwrt with luci-doh so i can set doh in my router but after setting that up my mobile can't access Internet as i have manually set dot from settings (android 9 introduced this feature) when i switch back to automatic from custom in my phone or off that dot, i can have internet again so how to bypass this so my phone use dnsovertls and my other devices use that doh that i have set in router.

DoH and DoT should not conflict, as they are using different ports.
The only thing I can imagine is that you block DoT traffic to force DoH.
As there is no luci-doh package, which package did you install and what is the configuration?

2 Likes

I just mentioned luci doh just to say not the package
luci-app-https-dns-proxy this is the package i have installed i have tested twice same issue. How can i solve this.

Have you implemented any firewall rules to enforce the usage of your own dns ?

1 Like

nope nothing whatever was default i kept that way as i dont know most of them

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
uci export https-dns-proxy; netstat -lnp; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
2 Likes

Wait i have to inatall that again as i have removed that package as internet was not working.

This should save you some time:

uci del_list https-dns-proxy.config.force_dns_port="853"
uci commit https-dns-proxy
/etc/init.d/https-dns-proxy restart
1 Like



I have done both of this but still i can't use internet as i have set my personal dns in from device settings but if i remove the dns settings from my phone then i can use internet without issues.

Does the personal dns work if you disconnect from the wifi/lan ?

Yes. It works when i install luci dns http proxy and it automatically setup and both of my device stop dns i need to remove that personal dot to automatic on my phone and doing that it resolve the issue or i have to turnon mobile internet to get internet so i think turning on https proxy dns blocks tls port

i have tested with luci-nextdns but that does not have any issues like that.
issue was if i install doh and set up it blocked my device own private dns immediately and uninstalling that restore dns.
also if i put my device dns to dnsovertls to automatic or off it resolves and doh works on my device but i want my device to use dot what i have set already but doh will be used by other smart devices or tv and other products so if i set doh all device can use doh but at a cost of i cant use my own dot custom on my laptop or phone. how to resolve this. i have tested this on my both openwrt router and issue was same and i have tested twice now. i want to use doh so kindly help. i think you can also face the same issue if you have a android set your own dns(DoT) with adguard or nextdns and see you will not be able to use internet as it will block your dot so dns will be not reachable and btw i have tested that internet works if you do to ip instead of urls i will work

Can you help here @frollic

I can ssh into the router but installing doh makes my already setup dot unusable.

Excellent.

Then, are you able to complete the steps someone asked to assist you?

See:

2 Likes
# ubus call system board
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Mi Router 4A Gigabit Edition",
	"board_name": "xiaomi,mi-router-4a-gigabit",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde4:aa0b:e4ad::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Is there a reason you didn't provide the uci export https-dns-proxy output?

2 Likes

Sorry i missed that.

...are you going to provide the output in order to assist you; or is your issue already solved?

Sure i am not in home right now i will sure.

1 Like