Hello,
I'm using OpenWrt 19.07 on an Archer C6 device.
OpenWrt allows me to visit a local (tasmota) HTTP server by just typing its hostname, followed by .lan:
e.g. http://koffiezetapparaat.lan redirects me to 192.168.1.190.
This works on my laptop.
However, Android 10 on my Samsung S10e will not use this local dns server to resolve local hostnames.
I found this topic but the iptables rule doesn't seem to do anything.
How can I force my phone to resolve local hostnames?
You need to find out what the browser is doing on your phone.
Some like firefox on android, tend to simply think anything ending in ".lan" should end up as a search query on whatever search engine you have configured.
Some like Chrome might have DNS-over-TLS/HTTPS enabled by default, which means your DNS lookups ignore the DNS servers set via DHCPv4/v6 and just head to the default configured DNS-over-TLS/HTTPS providers (Cloudflare, Google, etc).
Simple test: Download a network testing utility, try to ping your domain name. If it resolves correctly to an internal private address, it's a browser issue. If not, it's a DHCP issue and you can work from there.
The fact that blocking all LAN outbound heading traffic to 53 (in essence blocking every dns query a client on your network might send past your OpenWRT resolver) doesn't do the job means it's most likely DNS-over-HTTPS traffic which uses 443 by default.
Thank you, it looks like it's a DHCP issue. Pings from my device to koffiezetapparaat.lan fail due to not resolving IP, pinging 192.168.1.190 works normally.
Could you post the content of your /etc/config/dhcp file (mask the text if you see anything sensitive)? It also might help to see what your phone gets via DHCP, again a network testing utility/app usually has that info. Net Analyzer is a good one
Also take a look at this, might be what you're looking for:
@ergamus, first off, thanks for taking the time to help me here.
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option leasetime '2h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '[raspberry pi mac address]'
option name 'rpi'
option dns '1'
option ip '192.168.1.4'
I installed the app to do the pinging to the devices. I read the article yet setting the systemwide DNS to my local DNS server might be undesirable when going outside home.
From what I can gather, your DHCP settings look right.
The key might be disabling the Private DNS feature on your phone. As far as I can understand, when that's enabled on Android 9/10 it forces usage of DNS-over-TLS and basically ignores any DNS server you get via DHCP. The article I linked has an image (under section Android 9 Pie and newer) which shows a disable option for that, which might set it to use normal DNS server again.
Unfortunately it seems that Android devices are trying to contact other nameservers than the advertised from dhcp server. If the solution mentioned above won't work, you can try to hijack.
You can hijack the DNS by force port 53 rules on your Firewall...
I have tried all of your suggestions but sadly, they didn't work;
As far as I can tell (I have limited knowledge with networks), Android uses DNS over HTTPS. Redirecting port 443 traffic to 192.168.1.1:443 doesn't work because that port is used for regular HTTP traffic, too, and not just DNS resolving.
I think that the only way to get this done is by somehow filtering DNS requests from the HTTP traffic but I really have no idea how to do this.
Try disable DoH if possible, or block DoH servers to make it failover to plain DNS.
Alternatively, you can try to utilize mDNS:
mozilla
echo "address=/use-application-dns.net/" >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart
I had a similar issue and got it resolved by adding it to Network -> Hostnames
vgaetera, wulfy, milanmk, sadly, I tried all of your solutions, but they didn't work.
Doesn't DoH failover to plain DNS when you block its servers?
Also did you really try mDNS?
try using Blokada app on the phone to set your own router as DNS.
Blokada creates a fake VPN connection so it can "tunnel" and redirect all traffic from the phone to a local DNS server (still on the phone) so it can do adblocking. You can use it to change Android's DNS as well by setting a custom DNS in Blokada.
Due to obvious reasons (Google loves ads), the Blokada app you find the Play Store that can only change the DNS, which is what you want to do here https://play.google.com/store/apps/details?id=org.blokada.alarm.dnschanger
@vgaetera:
On openwrt:
# opkg update
# opkg install umdns
# ubus call umdns update
On phone:
ping koffiezetapparaat.local in Network Analyzer app:
Also, I tried blocking 8.8.8.8 and 8.8.4.4 but for some reason, this lead to the same result. Not sure if my blocking is right, so I added a screenshot.
Change destination port to 443/tcp for DoH and in general you should block both IPv4 and IPv6 addresses:
# nslookup dns.google
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: dns.google
Address: 8.8.4.4
Name: dns.google
Address: 8.8.8.8
Name: dns.google
Address: 2001:4860:4860::8844
Name: dns.google
Address: 2001:4860:4860::8888
Make sure you apply this together with DNS hijacking to intercept plain DNS:
I don't know how to read nslookup's output, but I got the same output as yours after rejecting IPv4 and IPv6 forwarding to 8.8.8.8 and 8.8.4.4:
root@openwrt:~# nslookup dns.google
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: dns.google
Address 1: 8.8.4.4
Address 2: 8.8.8.8
Address 3: 2001:4860:4860::8888
Address 4: 2001:4860:4860::8844