Https-dns-proxy - Bypass force_dns_port '853' for one specific device

I have been using https-dns-proxy successfully and very happy with it.
But I want to know if it's possible to bypass, force_dns_port '853' option for one specific device on my network.
Let's assume, if the device is set to static IP 192.168.1.22 then is it possible to have this device still use port 853 with a different DNS provider? Or by its MAC address?
If possible that what do I need to do?

root@OpenWrt:~# cat /etc/config/https-dns-proxy

config main 'config'
        option dnsmasq_config_update '*'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
        list force_dns_src_interface 'lan'
        option procd_trigger_wan6 '0'
        option heartbeat_domain 'heartbeat.melmac.ca'
        option heartbeat_sleep_timeout '10'
        option heartbeat_wait_timeout '10'
        option user 'nobody'
        option group 'nogroup'
        option listen_addr '127.0.0.1'
        option canary_domains_icloud '1'
        option canary_domains_mozilla '1'

config https-dns-proxy
        option bootstrap_dns 'xxxx,xxxx,xxxx,xxxx'
        option resolver_url 'https://d.adguard-dns.com/dns-query/xxxx'
        option listen_port '5053'

if you aren't globally blocking port 853 in the firewall, and the device can manually be configured to use a diff DoT server ....

I haven't blocked it. Just used the option provided in https-dns-proxy. I have edited my main post to add my https-dns-proxy config

That effectively blocked port 853 on the firewall.

In the old days you just inserted a rule to ACCEPT the IP address which then comes before that blocking rule, it is possible to also do this with nftables, but you need the right hook.

You can try with the DNS redirect rule: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_over_https

and then use ACCEPT instead of REJECT and specify the source IP address but not sure if this rule then comes before the blocking rule
nft list ruleset will show it

Oh, I'll have to look into that.
Btw, I also have pbr (policy based routing) package installed. Its rules are all disabled at the moment. I see that it has a redirect dns policy that can be configured.
Since both https-dns-proxy and pbr created by @stangri maybe there is some compatibility between them that will let me create a rule to bypass DoT blocking for one specific device only?

Yes the pbr will have precedence so you can try with that

Https-dns-proxy blocks 853 in a creative way directing it to own dns port. You see a redirect (DNAT to self) rule tnstead of drop.

Oh, so you would say it's not possible to exclude for just one device?
pbr rules also seems to not have any effect.

You just disable dox proxy firewall and add rule manually with due eceptions

Ow, yeah! I didn't think of it before.
So, I deleted this line from https-dns-proxy config force_dns_port '853'.
Then created two Traffic rules in Firewall. I based it on MAC address instead of using static IPv4 & IPv6 as I always use my device MAC on my phone Wi-Fi.

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Allow DoT for Narzo'
        list proto 'tcp'
        list src_mac 'AC:xx:xx:xx:xx:0F'
        option dest_port '853'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Block DoT for All'
        option dest_port '853'
        option target 'REJECT'

Now it's working. This is it, right?

Yes, that is correct config. Please accept your answer as anyone reading this would get their thing fixed using it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.