Force dns and mitigate isp hijacking

Already tried, as mentioned in the reddit post. Thanks anyways!

Be sure to follow the instructions for NAT6, DoH and DoT in the extras:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#extras

1 Like

I did, no luck.

The problem is that the OP's ISP is hijacking the DNS packets OpenWrt sends.

1 Like

So the only option I have is to use vpn? I was thinking to set one up on linode if they have server near me, cheap, and I am able to set up.

If they hijack all the available methods (DNSCrypt,DNSoverHTTPS, DNSoverTLS, DNSoverTor) then I cannot think of any other way.

1 Like

I am using adblock in case that is causing the issue. and in that, force local dns is ticked.

You can try to stop Adblock and test for leaks, although I don't think this is the case.

How can they hijack dns if you use dns over https proxy?

2 Likes

Let's check if you have properly followed the wiki:

uci show dhcp; uci show https-dns-proxy; uci show firewall; \
iptables-save -c; ip6tables-save -c; ipset list

Thanks a lot for your support!

1 Like

Ipset setup does not work - #2 by vgaetera

I went to both the links you provided and did the automated section of both. Still not working.

1 Like

Verify that IP sets are properly populated with the DoH domain IPs:

uci show firewall.doh; ipset list doh; \
uci show firewall.doh6; ipset list doh6

You can create and populate IP sets manually like this:

ipset setup

I dont know anything about/what are ip sets.

1 Like

It should block clients from bypassing the router and accessing DoH servers.
The clients are expected to failover to plain DNS which can be intercepted on the router.

If the issue persists, make sure to disable all proxy and VPN in the client browser if any.
Otherwise it can encapsulate DNS traffic and make it problematic to intercept.

everything is off. still facing the problem :frowning: What should I do?

What exactly is off and what issue are you facing?

VPN is off and I want 1.1.1.1 as dns but isp is hijacking

This is probably a misunderstanding, your router is configured to intercept DNS and redirect it to DoH.
At this point, all your DNS traffic should be encrypted, which makes impossible for ISP to hijack it.

There's not much else can be done on the router, and the rest depends on the client OS and browser.
If you use a Chrome-based mobile browser, try disabling its Lite mode and Encrypted DNS features.

3 Likes