Force dns and mitigate isp hijacking

asdfasdfasdf · November 5, 2021, 9:08am

I tried resolving my issue on reddit (https://www.reddit.com/r/openwrt/comments/qhj066/i_think_isp_is_forcing_dns/) but couldn't. Now when I checked on my phone, there are 42 dns servers! mostly google i think.
I just want to force dns on every device and not get it hijacked by isp.
Thank you!
Edit: I followed this guide ( https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy) and didn't work. I am also using ad blocker package, mentioning as that might be causing the issue.

vgaetera · November 5, 2021, 9:35am

trendy · November 5, 2021, 10:06am

If your ISP is hijacking your DNS, you'll have to find a way to circumvent that.
Most likely they are already hijacking port 53, possibly 853, 5353, and DoH 443.
If so you should encapsulate the dns packets in a vpn and bypass the controls. Or change ISP.

asdfasdfasdf · November 5, 2021, 11:19am

Already tried, as mentioned in the reddit post. Thanks anyways!

vgaetera · November 5, 2021, 11:35am

Be sure to follow the instructions for NAT6, DoH and DoT in the extras:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#extras

asdfasdfasdf · November 5, 2021, 11:50am

I did, no luck.

trendy · November 5, 2021, 12:47pm

The problem is that the OP's ISP is hijacking the DNS packets OpenWrt sends.

asdfasdfasdf · November 5, 2021, 1:02pm

So the only option I have is to use vpn? I was thinking to set one up on linode if they have server near me, cheap, and I am able to set up.

trendy · November 5, 2021, 1:13pm

If they hijack all the available methods (DNSCrypt,DNSoverHTTPS, DNSoverTLS, DNSoverTor) then I cannot think of any other way.

asdfasdfasdf · November 6, 2021, 9:07am

I am using adblock in case that is causing the issue. and in that, force local dns is ticked.

trendy · November 6, 2021, 5:32pm

You can try to stop Adblock and test for leaks, although I don't think this is the case.

tapper · November 6, 2021, 7:44pm

How can they hijack dns if you use dns over https proxy?

vgaetera · November 7, 2021, 4:54am

Let's check if you have properly followed the wiki:

uci show dhcp; uci show https-dns-proxy; uci show firewall; \
iptables-save -c; ip6tables-save -c; ipset list

asdfasdfasdf · November 7, 2021, 7:26am

Thanks a lot for your support!

vgaetera · November 7, 2021, 8:31am

Ipset setup does not work - #2 by vgaetera

asdfasdfasdf · November 7, 2021, 9:27am

I went to both the links you provided and did the automated section of both. Still not working.

vgaetera · November 7, 2021, 9:29am

Verify that IP sets are properly populated with the DoH domain IPs:

uci show firewall.doh; ipset list doh; \
uci show firewall.doh6; ipset list doh6

You can create and populate IP sets manually like this:

ipset setup

asdfasdfasdf · November 7, 2021, 11:43am

I dont know anything about/what are ip sets.

vgaetera · November 7, 2021, 12:19pm

It should block clients from bypassing the router and accessing DoH servers.
The clients are expected to failover to plain DNS which can be intercepted on the router.

If the issue persists, make sure to disable all proxy and VPN in the client browser if any.
Otherwise it can encapsulate DNS traffic and make it problematic to intercept.

asdfasdfasdf · November 7, 2021, 3:45pm

everything is off. still facing the problem What should I do?