Force dns and mitigate isp hijacking

I tried resolving my issue on reddit ( but couldn't. Now when I checked on my phone, there are 42 dns servers! mostly google i think.
I just want to force dns on every device and not get it hijacked by isp.
Thank you!
Edit: I followed this guide ( and didn't work. I am also using ad blocker package, mentioning as that might be causing the issue.

1 Like

If your ISP is hijacking your DNS, you'll have to find a way to circumvent that.
Most likely they are already hijacking port 53, possibly 853, 5353, and DoH 443.
If so you should encapsulate the dns packets in a vpn and bypass the controls. Or change ISP.

1 Like

Already tried, as mentioned in the reddit post. Thanks anyways!

Be sure to follow the instructions for NAT6, DoH and DoT in the extras:

1 Like

I did, no luck.

The problem is that the OP's ISP is hijacking the DNS packets OpenWrt sends.

1 Like

So the only option I have is to use vpn? I was thinking to set one up on linode if they have server near me, cheap, and I am able to set up.

If they hijack all the available methods (DNSCrypt,DNSoverHTTPS, DNSoverTLS, DNSoverTor) then I cannot think of any other way.

1 Like

I am using adblock in case that is causing the issue. and in that, force local dns is ticked.

You can try to stop Adblock and test for leaks, although I don't think this is the case.

How can they hijack dns if you use dns over https proxy?


Let's check if you have properly followed the wiki:

uci show dhcp; uci show https-dns-proxy; uci show firewall; \
iptables-save -c; ip6tables-save -c; ipset list

Thanks a lot for your support!

1 Like

Ipset setup does not work - #2 by vgaetera

I went to both the links you provided and did the automated section of both. Still not working.

1 Like

Verify that IP sets are properly populated with the DoH domain IPs:

uci show firewall.doh; ipset list doh; \
uci show firewall.doh6; ipset list doh6

You can create and populate IP sets manually like this:

ipset setup

I dont know anything about/what are ip sets.

1 Like

It should block clients from bypassing the router and accessing DoH servers.
The clients are expected to failover to plain DNS which can be intercepted on the router.

If the issue persists, make sure to disable all proxy and VPN in the client browser if any.
Otherwise it can encapsulate DNS traffic and make it problematic to intercept.

everything is off. still facing the problem :frowning: What should I do?