Force Android phone to use local DNS for local domain name resolving


I'm using OpenWrt 19.07 on an Archer C6 device.

OpenWrt allows me to visit a local (tasmota) HTTP server by just typing its hostname, followed by .lan:

e.g. http://koffiezetapparaat.lan redirects me to

This works on my laptop.

However, Android 10 on my Samsung S10e will not use this local dns server to resolve local hostnames.

I found this topic but the iptables rule doesn't seem to do anything.

How can I force my phone to resolve local hostnames?

You need to find out what the browser is doing on your phone.

Some like firefox on android, tend to simply think anything ending in ".lan" should end up as a search query on whatever search engine you have configured.

Some like Chrome might have DNS-over-TLS/HTTPS enabled by default, which means your DNS lookups ignore the DNS servers set via DHCPv4/v6 and just head to the default configured DNS-over-TLS/HTTPS providers (Cloudflare, Google, etc).

Simple test: Download a network testing utility, try to ping your domain name. If it resolves correctly to an internal private address, it's a browser issue. If not, it's a DHCP issue and you can work from there.

The fact that blocking all LAN outbound heading traffic to 53 (in essence blocking every dns query a client on your network might send past your OpenWRT resolver) doesn't do the job means it's most likely DNS-over-HTTPS traffic which uses 443 by default.


Thank you, it looks like it's a DHCP issue. Pings from my device to koffiezetapparaat.lan fail due to not resolving IP, pinging works normally.

Could you post the content of your /etc/config/dhcp file (mask the text if you see anything sensitive)? It also might help to see what your phone gets via DHCP, again a network testing utility/app usually has that info. Net Analyzer is a good one

Also take a look at this, might be what you're looking for:


@ergamus, first off, thanks for taking the time to help me here.

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option leasetime '2h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '[raspberry pi mac address]'
        option name 'rpi'
        option dns '1'
        option ip ''

I installed the app to do the pinging to the devices. I read the article yet setting the systemwide DNS to my local DNS server might be undesirable when going outside home.

From what I can gather, your DHCP settings look right.

The key might be disabling the Private DNS feature on your phone. As far as I can understand, when that's enabled on Android 9/10 it forces usage of DNS-over-TLS and basically ignores any DNS server you get via DHCP. The article I linked has an image (under section Android 9 Pie and newer) which shows a disable option for that, which might set it to use normal DNS server again.

1 Like

Unfortunately it seems that Android devices are trying to contact other nameservers than the advertised from dhcp server. If the solution mentioned above won't work, you can try to hijack.


You can hijack the DNS by force port 53 rules on your Firewall...

1 Like

I have tried all of your suggestions but sadly, they didn't work;

  • ergamus: disabling the private DNS feature didn't make koffiezetapparaat.lan resolve;
  • trendy, erdoukki: I hijacked DNS, but this didn't change behaviour (I checked with the Network Analyzer app)

As far as I can tell (I have limited knowledge with networks), Android uses DNS over HTTPS. Redirecting port 443 traffic to doesn't work because that port is used for regular HTTP traffic, too, and not just DNS resolving.

I think that the only way to get this done is by somehow filtering DNS requests from the HTTP traffic but I really have no idea how to do this.

Try disable DoH if possible, or block DoH servers to make it failover to plain DNS.

Alternatively, you can try to utilize mDNS:

1 Like


echo "address=/" >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart

I had a similar issue and got it resolved by adding it to Network -> Hostnames

vgaetera, wulfy, milanmk, sadly, I tried all of your solutions, but they didn't work.

Doesn't DoH failover to plain DNS when you block its servers?

Also did you really try mDNS?

try using Blokada app on the phone to set your own router as DNS.

Blokada creates a fake VPN connection so it can "tunnel" and redirect all traffic from the phone to a local DNS server (still on the phone) so it can do adblocking. You can use it to change Android's DNS as well by setting a custom DNS in Blokada.

Due to obvious reasons (Google loves ads), the Blokada app you find the Play Store that can only change the DNS, which is what you want to do here


On openwrt:

# opkg update
# opkg install umdns
# ubus call umdns update

On phone:
ping koffiezetapparaat.local in Network Analyzer app:

1 Like

Also, I tried blocking and but for some reason, this lead to the same result. Not sure if my blocking is right, so I added a screenshot.

1 Like

Change destination port to 443/tcp for DoH and in general you should block both IPv4 and IPv6 addresses:

# nslookup

Non-authoritative answer:
Address: 2001:4860:4860::8844
Address: 2001:4860:4860::8888

Make sure you apply this together with DNS hijacking to intercept plain DNS:

1 Like

Is this a legitimate site?

1 Like

I don't know how to read nslookup's output, but I got the same output as yours after rejecting IPv4 and IPv6 forwarding to and

root@openwrt:~# nslookup

Address 1:
Address 2:
Address 3: 2001:4860:4860::8888
Address 4: 2001:4860:4860::8844
1 Like