I have a 23.05 router with https-dns-proxy (firewall4/nftables) configured to use certain external DoH/DoT resolver. "Force router DNS" to local clients is ON. I also use adblock-fast
I have a mix of clients:
"Protected" are configured to use specific (at the moment it's the same) DoH/DoT resolver (those never go via unsecured and can't fall-back to 53)
Semi-protected that use different DoH/DoT resolver that falls back to 53 if needed
Unprotected that are taking what was supplied by a router via DHCP
1 never work for obvious reason (as REJECT is done).
luci doesn't offer any obvious ways to make exceptions.
What's the proper/elegant way to configure my router so it doesn't force DNS to clients that are already "protected"?
Ideally, pls advice how it can be done by the name of the DNS server (I don't change them frequently), so if client is trying to contact that DNS via DoT/DoH, then it's not forced to 53.
It should be kinda flexible so it's not broken upon change of secure DNS package (as soon as new uses the same nft/firewall4) or don't interfere with adblock-fast
However, if I have no choice, it can be also done via client MAC (not preferred, as MACs are random atm), by client IP (don't use static, random MAC), or, the worst is by subnet (don't want to separate lans for protected and unprotected clients) .
SSH into your router and check the contents of /etc/config/http-dns-proxy. If the first section (config main 'config') includes list force_dns_port '853' delete that line. Then run /etc/init.d/http-dns-proxy reload.
Pretty obvious, they dont use DNS protocol. You can subvert them by adding canary domains, if their config is forced to dot you must block dot port, if it is doh you have to block doh services ip addresses.
https-dns-proxy does first two automatically
Will it also allow clients that are "2. Semi-protected that use different DoH/DoT resolver that falls back to 53 if needed" to continue using their "different" DoH/DoT? I prefer to force such clients to "my" upstream secure DNS resolver instead of allowing them to use theirs.
It's just "my" upstream secure DNS resolver that I wan't to allow/bypass for clients of group "1 . Protected..."
I, probably, wasn't clear enough in my explanation, I'm sorry for that.
I don't want clients that are already using "trusted" upstream DNS (and those rejecting to switch to unsecure DNS) to be forced to go through my "local" https-dns-proxy and adblock-fast. I want to pass them through as is to trusted upstream secure DNS.
As soon as certain client uses !"not trusted" upstream secure DNS and refuses to switch to my local https-dns-proxy and adblock-fast, I'm fine with it.
For the rest of clients, that are willing to switch to my local https-dns-proxy and adblock-fast I wan't to continue doing so.
I thought in worst case I will have to add some fw4 "accept" if they go port 853 or 443 to my trusted upstream DNS prior to ones added by https-dns-proxy adblock-fast
... but thought that there may be a proper/elegant way to solve it, and thus have decided to ask here
Disable all canary domains in https-dns-proxy, that way clients already using DoH will keep using their DoH servers. Coupled with an earlier suggestion from @krazeh to remove port 853 from the forced ports list, that should do the trick.
Will it also allow clients that are "2. Semi-protected that use different DoH/DoT resolver that falls back to 53 if needed" to continue using their "different" DoH/DoT? I prefer to force such clients to "my" upstream secure DNS resolver instead of allowing them to use theirs.
It's just "my" upstream secure DNS resolver that I wan't to allow/bypass for clients of group "1 . Protected..."
Without the canary domains, the mozilla/icloud devices will keep using their encrypted DNS resolvers. With canary domains enabled, those devices would stop using the encrypted DNS resolvers and will "downgrade" to using DNS resolution from your network.
Non-canary domains aware clients should keep using their encrypted DNS servers without ever using your network's DNS resolution.
I haven't been following up on this subject tho, so I don't know if other browsers (besides Firefox) also check the mozilla canary domain nor if other devices (besides iOS ones) check the iCloud Private Relay canary domains.
an example - Android smartphone with always-on VPN and DoT upstream resolver and a setting that "prevents DNS leaks" (captures all on 53 and fwd it to set upstream resolver). I trust that upstream resolver and want to allow it. And if by chance there will be another device like that, but using "not trusted" upstream resolver, then it's OK if it can't use my network. I want to pass only devices of type 1 without fall back to 53
If a device is using a VPN then it's going to be bypassing your firewall anyway. You don't need to worry about anything on the OpenWrt intercepting the traffic.
at the moment it doesn't proxy dns requests (so it can resolve vpn gate ip, etc), but I can enable proxying (still first resolution of vpn gate ip must happen)