Force DoH for all clients

Routed · March 31, 2026, 4:48pm

Is there any way to force DOH for all devices on my network.
I believe certain devices are hard coded to use their own serverice providers regardless for what is set up on a router, The Pfsnece answer was to redirect port 53 to the 127.0.0.1 and then somehow redirect that to 853 defeating any circumvation, through firewall rules I believe.

I did not bother saving the link to the article as it will be a different interface from theirs if this can be done on OpenWrt.
I currently use cloud9 's 9.9.9.9 and 149.112.112.112 Servers.

Anyone know how to achieve this for a novice like me, Thanks.

egc · March 31, 2026, 4:56pm

Install HTTPS-DNS-PROXY this will be configured as upstream DOH servers for DNSMasq there are settings to force DNS53 and DOT (port 853) via the router

frollic · March 31, 2026, 5:09pm

Routed · March 31, 2026, 5:39pm

Will doing this break anything already set up.
I am currently using quad9 servers.
Also using the onboard WiFi on the Pi4 /OpenWrt instlall to connect to my phones hotspot to provide internet access, this is all working well as of now.

Did I pick this up right, there are extra steps to do in order to have the local DNS queries dealt with on the router instead of using DOH for them too.

frollic · March 31, 2026, 5:40pm

This blocks outgoing queries from the clients.

Routed · March 31, 2026, 5:41pm

But if it blocks outgoing DNS queries, how will they reach the internet.

frollic · March 31, 2026, 5:44pm

Their DNS queries won't, which is the whole point.
The router will do DoH for them.

joelinux60 · March 31, 2026, 6:05pm

Technically it's not a block but a forceful redirect. Clients outgoing DNS traffic gets intercepted on your OpenWRT Router.

frollic · March 31, 2026, 6:44pm

For the regular DNS requests.
DoT and DoH needs to be blocked, to force them to use the local DNS.