Hairpining - doesnt work

OS on your ISP router needs to support the hairpin in its firewall. Look into your ISP router documentation.

its not ... apparently and u cant touch router internals.

IP address based connection forwarding or hairpin from ISP is then ruled out. You can still do domain based redirection based on dnsmasq.conf redirect the outgoing requests back to your local network. This can be done on the underlying openwrt router then.

In dnsmasq.conf add a line like:


Change to your actual domain and IP address to the IP address serving the service.

The requests for from your local network will land on the IP address then.

thats what i practically did , issue is that android devices are not using local DNS server so it doesnt work on android devices :frowning:

Do the Android devices have another gateway / DNS server defined in their settings separately or is the wifi setting on the router feeding the Android devices wrong?

You can still intercept these DNS requests.

Only if DoH and DoT are blocked.

We've been down this road already, twice.

The solution that is coming to my mind is the DNS hijacking (for a simple rule or two rules) or a pihole like DNS server that is implementing complex schema on the DNS part.

I had a partial success blocking packets originating from the surveilance system by a simple iptables drop rule. It is a fact when the device does not find a first server, then it looks for a backup. I had to do it twice back then. I can imagine, that Android might have up to 10 built in adressess before it gives up.

I can try DNS hijacking, thanks.
whats the benefit of pihole?

yeah as u said ... 10 maybe or more :slight_smile:

But the one thing that's not clear to me is the fact:
when I remove DNS server from the dumb router (where android is connected) everything works fine. Doesn't make sense to me at all.


I your case, none, since you can't get the DNS hijacking to work, and that's the 1st step.

Dumb router or dumb ap?
Dump AP doesn't touch the traffic flowing through it.

Apparently the might be resolving your public ip for the domain that you are trying to resolve to your internal network. Get a rid of this DNS resolver.

.... by (re)following

i need to try.

sorry dumb AP,

but now i removed DNS from dumb ap and it doesn't work... so no idea what happened...

i think its okay, bc on DNS server i have that rule


Is this the real IP, or something random you just put in there?

yes random sorry .. cp of kukulo ...

its /

Get som app that can display the IP and DNS on you Android clients...

i use ping app ... that should resolve dns
it just says unknown host - once trying to resolve.

@kukulo seems that howto is out of date....

there is no way to set Destination zone : unspecified

see here

Is this a screen shot from your router?

yes , i am trying to set it ...


is that list up to date? from the website ...

uclient-fetch -O - "
dibdot/DoH-IP-blocklists/master/doh-domains.txt" \