Do the Android devices have another gateway / DNS server defined in their settings separately or is the wifi setting on the router feeding the Android devices wrong?
You can still intercept these DNS requests.
Only if DoH and DoT are blocked.
We've been down this road already, twice.
The solution that is coming to my mind is the DNS hijacking (for a simple rule or two rules) or a pihole like DNS server that is implementing complex schema on the DNS part.
I had a partial success blocking packets originating from the surveilance system by a simple iptables drop rule. It is a fact when the device does not find a first server, then it looks for a backup. I had to do it twice back then. I can imagine, that Android might have up to 10 built in adressess before it gives up.
@kukulo
I can try DNS hijacking, thanks.
whats the benefit of pihole?
yeah as u said ... 10 maybe or more 
But the one thing that's not clear to me is the fact:
when I remove DNS server 10.0.1.1 from the dumb router (where android is connected) everything works fine. Doesn't make sense to me at all.
thanks
I your case, none, since you can't get the DNS hijacking to work, and that's the 1st step.
Dumb router or dumb ap?
Dump AP doesn't touch the traffic flowing through it.
Apparently the 10.0.1.1 might be resolving your public ip for the domain that you are trying to resolve to your internal network. Get a rid of this DNS resolver.
i need to try.
sorry dumb AP,
but now i removed DNS 10.0.1.1 from dumb ap and it doesn't work... so no idea what happened...
i think its okay, bc on DNS server 10.0.1.1 i have that rule
address=/yourdomain.com/192.168.5.62
Is this the real IP, or something random you just put in there?
yes random sorry .. cp of kukulo ...
its /10.0.1.104
Get som app that can display the IP and DNS on you Android clients...
i use ping app ... that should resolve dns
it just says unknown host - once trying to resolve.
@kukulo seems that howto is out of date....
there is no way to set Destination zone : unspecified
see here
Is this a screen shot from your router?
yes , i am trying to set it ...
why?
is that list up to date? from the website ... https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
uclient-fetch -O - "https://raw.githubusercontent.com/
dibdot/DoH-IP-blocklists/master/doh-domains.txt" \
this is pointless ... lets say nonsense HowTO.
I executed everything thats written there ... ie
1)Configure firewall to intercept DNS traffic.
2)Filter DoH traffic with firewall and IP sets forcing LAN clients to switch to plain DNS. Set up
3)Configure firewall to filter DoT traffic forcing LAN clients to switch to plain DNS.
not sure about DNS forwarding or DNS redirection if these are required.
otherwise 1-3 doesnt work .. Page is out of date and whole concept is broken / not working for android devices anymore. .. should be removed or tagged as not working.out of date.
maybe i am wrong and also DNS forwarding or DNS redirection have to be set...
dont know as that HOWTO is just commands .. no description etc...
howto says:>
DNS forwarding
Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule.
and few lines below... avoid....
DNS redirection
Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server.
Okay
assuming there is no solution for such an issue and links/articles regarding DoT/DoH blocking are just broken code...that never worked....
or the broken part is in the other end...