Force Android phone to use local DNS for local domain name resolving

Doesn't DoH failover to plain DNS when you block its servers?

Also did you really try mDNS?

try using Blokada app on the phone to set your own router as DNS.

Blokada creates a fake VPN connection so it can "tunnel" and redirect all traffic from the phone to a local DNS server (still on the phone) so it can do adblocking. You can use it to change Android's DNS as well by setting a custom DNS in Blokada.

Due to obvious reasons (Google loves ads), the Blokada app you find the Play Store that can only change the DNS, which is what you want to do here https://play.google.com/store/apps/details?id=org.blokada.alarm.dnschanger

2 Likes

@vgaetera:
On openwrt:

# opkg update
# opkg install umdns
# ubus call umdns update

On phone:
ping koffiezetapparaat.local in Network Analyzer app:

1 Like

Also, I tried blocking 8.8.8.8 and 8.8.4.4 but for some reason, this lead to the same result. Not sure if my blocking is right, so I added a screenshot.

1 Like

Change destination port to 443/tcp for DoH and in general you should block both IPv4 and IPv6 addresses:

# nslookup dns.google
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	dns.google
Address: 8.8.4.4
Name:	dns.google
Address: 8.8.8.8
Name:	dns.google
Address: 2001:4860:4860::8844
Name:	dns.google
Address: 2001:4860:4860::8888

Make sure you apply this together with DNS hijacking to intercept plain DNS:

1 Like

Is this a legitimate site?

1 Like

I don't know how to read nslookup's output, but I got the same output as yours after rejecting IPv4 and IPv6 forwarding to 8.8.8.8 and 8.8.4.4:

root@openwrt:~# nslookup dns.google
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      dns.google
Address 1: 8.8.4.4
Address 2: 8.8.8.8
Address 3: 2001:4860:4860::8888
Address 4: 2001:4860:4860::8844
1 Like

I have no clue, it seems like the nameserver lookup to dns.google works normally with or without the firewall port 443 traffic reject rule, but I think that's just normal behaviour, the corresponding IP's to dns.google should be found normally through my normal DNS provider (I'm using AdGuard's DNS, 176.103.130.130 and 176.103.130.131). So the nameserver lookups are probably done through these IP's.

I also set up the DNS interception, but koffiezetapparaat.lan stays unpingable (except for when I explicitly set 192.168.1.1 as DNS in in the query settings).

I also set up the firewall settings to block all traffic to Google's IPv4 and IPv6 servers over ports 53 an 443 without result:

You also need to block UDP/53
Better post the configuration than screenshots.
uci export firewall

@trendy:

root@openwrt:~# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule
	option dest 'wan'
	option src 'lan'
	option name 'Block Google'\''s DNS'
	option dest_port '53'
	option target 'REJECT'
	list dest_ip '8.8.8.8'
	list dest_ip '8.8.4.4'
	list dest_ip '2001:4860:4860::8888'
	list dest_ip '2001:4860:4860::8844'
	list proto 'tcp'
	list proto 'udp'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'

config rule
	option dest_port '443'
	option src 'lan'
	option name 'Block Google'\''s DNS over HTTPS'
	option dest 'wan'
	list dest_ip '8.8.8.8'
	list dest_ip '8.8.4.4'
	list dest_ip '2001:4860:4860::8888'
	list dest_ip '2001:4860:4860::8844'
	option target 'REJECT'
	list proto 'tcp'
	list proto 'udp'

root@openwrt:~# cat /etc/firewall.nat6 
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
1 Like

You need to intercept plain DNS aka 53/udp and 53/tcp, so don't block it.

The DNAT is taking place earlier in prerouting chain of nat table, so it should not be affected by a blocking rule in forward chain of filter table.

1 Like

trendy, vgaetera:

OK, so AFAIK, my rules are set up correctly now, yet, my Android phone can't resolve koffiezetapparaat.lan. Any idea on what might be going on?

Check from the LAN client:

nslookup koffiezetapparaat.lan 8.8.8.8

This should be intercepted and resolved correctly.

This is so strange, it seems to work correctly from e.g. my laptop:

$ nslookup koffiezetapparaat.lan 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Name:	koffiezetapparaat.lan
Address: 192.168.1.190

and even with different DNS servers:

$ nslookup koffiezetapparaat.lan 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

Name:	koffiezetapparaat.lan
Address: 192.168.1.190

but still not on my Android phone.

I looked it a bit up and it seems that there are other people with (kind of) the same problem. For instance, this topic on Android stack exchange: https://android.stackexchange.com/questions/49188/how-to-get-mdns-working-for-chrome-on-android

Manually setting the primary (and secondary) DNS server to 192.168.1.1 didn't change anything either. I have no clue on how to go from here, really.

1 Like

It seems the only way out is to buy a public domain. :expressionless:

guys? has anyone tried my suggestion yet? Force Android phone to use local DNS for local domain name resolving

3 Likes

For me Network Analyzer can resolve and ping a host in the lan, but maybe it has to do with the Android version. I have just a hijack rule to send all queries to my Piholes.

1 Like

Newer Androids using port 853 by default for name resolution on IPv6. If IPv6 service is not available the fallback is hardcoded for 8.8.8.8/4.4 port 53 in any case. A public resolver will never resolve a local domain.

For me it sounds you have missconfigured dnsmasq/firewall. Like dnsmasq is bypassed. oO

What happen if you edit /etc/hosts and enter a new line with "192.168.1.190 koffiezetapparaat koffiezetapparaat.lan"? Is it getting resolved now?

What is the output of: "uci show dhcp"?

2 Likes