Force Android phone to use local DNS for local domain name resolving

Strange behaviour going on. A minute ago, my phone suddenly resolved koffiezetapparaat.lan properly. I wanted to make some screenshots to show you this along with the current settings (for future readers ofr future reference) but all of a sudden, koffiezetapparaat.lan does not get resolved properly anymore.

Luckily, I saved the tcpdump log (as pwned suggested). I will read through this and try to find out what went different this time.

Correct resolving:

16:02:02.808623 ARP, Request who-has koffiezetapparaat tell Telefoon.lan, length 46
16:02:02.808802 IP Telefoon.lan.18456 > openwrt.lan.53: 40623+ PTR? (44)

No resolving:

16:13:32.611251 IP Telefoon.lan.59676 > Flags [P.], seq 2606:3587, ack 5756, win 422, options [nop,nop,TS val 819405971 ecr 1053534868], length 981
16:13:33.400697 IP Telefoon.lan.59676 > Flags [.], ack 6064, win 433, options [nop,nop,TS val 819406768 ecr 1053543441], length 0

16:16:01.132239 IP Telefoon.lan.49108 > Flags [P.], seq 3588:4569, ack 6064, win 433, options [nop,nop,TS val 3457205215 ecr 710600902], length 981
16:16:01.305224 IP Telefoon.lan.49108 > Flags [.], ack 6372, win 444, options [nop,nop,TS val 3457205401 ecr 710608801], length 0

16:20:24.274708 IP Telefoon.lan.35954 > Flags [.], seq 2030808332:2030809760, ack 3394053553, win 422, options [nop,nop,TS val 1762652882 ecr 3877128620], length 1428
16:20:24.274838 IP Telefoon.lan.35954 > Flags [P.], seq 1428:1580, ack 1, win 422, options [nop,nop,TS val 1762652882 ecr 3877128620], length 152
16:20:24.939723 IP Telefoon.lan.35954 > Flags [.], ack 309, win 433, options [nop,nop,TS val 1762653551 ecr 3877139229], length 0

What I think is happening here: Android maybe uses a range of different DNS (over HTTPS) servers to resolve hostnames. The one time it resolved koffiezetapparaat.lan correctly was the time that it used a blocked Google DNS server and thus relayed it to openwrt.lan to do the resolving. The other times, it gets passed as HTTPS traffic to different IP's.


A whois is telling: OrgTechName: Microsoft Routing, Peering, and DNS

I guess the App itself is asking this cloud DNS server. Android will probably never rely on a Microsoft DNS resolver. :smiley:

As the App is asking over HTTPS you cannot do much about it. The only thing you could do is to get the resolving name of this IP like for other resolvers (e. g. and block this address/url or redirect it to your local DNS. But that would only work if the App is not so smart and does not fetch a list of possible DNS resolvers before over its own servers to have more then one available.
If you are lucky it is hardcoded and you just have to redirect a few urls.

EDIT: What you could try is restrict the device by MAC/IP to LAN only (so no internet available for it; if this is enough for your needs). It might be that your redirect to the local resolver is working then and your local domain gets resolved every time.
Another soultion would be to reach your lan from outside over your regular 4G connection (using DDNS with port forwarding and redirecting).


I have tried a lot of tcpdumping today and yesterday but failed to properly isolate DNS traffic to/from my phone; I will open a different topic for that right now and report back as soon as this is resolved.

I've been doing a lot of research on this the last couple of days and found out that Google Chrome (!) on my phone resolves local DNS just the way it should. Even without setting extra firewall rules.

I have a strong feeling now that my problems have little to do with Android or OpenWrt but rather Firefox' implementation of DNS on Android.

Thank you for all the help you've offered over the last couple of days. I've learnt a lot about OpenWrt and networks in general.

Maybe I will address this to the Firefox developers, but I feel like the work here is done for now.


If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Firefox uses DNS over HTTPS by default on both Android and PC, as a privacy feature. It ignores the system's DNS settings, afaik.

You can read more about it and how to turn it off here

EDIT: Btw, Chrome is also rolling out the same feature in version 83 and later, enabling DNS-over-HTTPS where it can


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.