Hello,
how can I setup https-dns-proxy to recognise local names? There is a working file “/etc/config/hosts.localnet”, that does its work without the proxy, so that my local machines can find each other. But when I activate the proxy, that file is not used any more.
How can I change that? Many thanks in advance!
make sure dnsmasq sits between the https-dns-proxy and the clients ?
Yeeeessss…. a little more specific, if possible?
I followed these instructions(*), and the result is working, but with the above discribed exception. Actually, I do not know how to change this setup to make it work as you suggested.
(*) In the description it is said, that…
Dnsmasq forwards DNS queries to https-dns-proxy which encrypts DNS traffic.
As far as I understand it, dnsmasq should always check a local resolve file before forwarding any dns query, encrypted or not.
I don't use it myself, but on paper -
https-dns-proxy shouldn't be listening to port 53, dnsmasq should.
dnsmasq should use https-dns-proxy as upstream DNS resolver for all queries.
running netstat -tlup executed via ssh should show you who's listening.
indeed, if used.
One more information I forgot to mention:
I also set those options described in the chapter “Private DNS server cannot be accessed on Android” and that’s where the problem really starts: I activated “private dns” on my phone for the use on mobile network. But I don’t want to toggle this option every time I enter my wifi zone and re-enable that option every time I exit my wifi again.
While connected to my wifi, my phone needs to be able to connect to other local machines, e.g. “smart home” devices. They will only be reachable, if I deactivate the private dns option on the phone, which is of course pretty inconvenient. There must be a better solution to this.
It's the phones encrypted DNS.
You can block DoH and DoT, if needed: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#extras, the clients should then fall back to vanilla unencrypted DNS traffic.
I see your point there: when the phone does an encrypted dns query, the router can’t check that request using a locale file. It’s so obvious. 
I will try the blocking, maybe that will work. 
Well, as you said: “…the clients should then fall back to vanilla unencrypted DNS traffic.”
Meaning: they should, but they don’t! Android does not seem to care what it should do: if “private DNS” (that’s what DoH is called on Android) is activated, the phone can’t reach any public site whatsoever when connected to my wifi with banIP on the router.
This is a very sad and frustrating situation:
On my PC, the solution is simple: just putting the server’s internal ip into /etc/hosts and my PC can reach the internal server by its public name. Great!
But sadly, Android does not provide an easy way to edit /etc/hosts, rooting the device is required and I really don’t want to do that. Of course, the easiest solution to this tricky solution would be me turning off “private DNS” whenever my phone connects to my wifi and reactivate it later. But this will not work reliable all the time due to human nature and it feels like being back in the 1950s again…
I guess I’ll have to look elsewhere for a solution to this, there’s nothing that OpenWRT can do about this.
Anyway: many thanks for your help!
the problem isn't really openwrt, but android, it's trying to keep you safe.
you could try hairpinning though.
?? Sorry, but I am not familiar with that figure of speech. ¯\_(ツ)_/¯
hmmm… did you really mean safe? Maybe you meant insane…??? 
from internet baddies, not from yourself 