The most common way to block DoH in OpenWRT would be using BanIP.
However, the DoH blocklists would include 8.8.8.8, so if your OpenWRT were blocking DoH, then you would not be able to access 8.8.8.8 either, which doesn't seem to be the case here
root@openwrt:~# ipset list doh_4 | grep 8.8.8.8
8.8.8.8 packets 493 bytes 33663
I'd suggest the following test to narrow down the scope of the problem, preferably not performed on your OpenWRT but on a machine connected to the LAN side.
Attempt to directly use Apple nameservers to resolve the query and see what happens.
$ nslookup
> set type=NS
> icloud.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
icloud.com nameserver = a.ns.apple.com.
icloud.com nameserver = c.ns.apple.com.
icloud.com nameserver = b.ns.apple.com.
icloud.com nameserver = d.ns.apple.com.
Authoritative answers can be found from:
a.ns.apple.com internet address = 17.253.200.1
b.ns.apple.com internet address = 17.253.207.1
c.ns.apple.com internet address = 204.19.119.1
d.ns.apple.com internet address = 204.26.57.1
a.ns.apple.com has AAAA address 2620:149:ae0::53
b.ns.apple.com has AAAA address 2620:149:ae7::53
c.ns.apple.com has AAAA address 2620:171:800:714::1
d.ns.apple.com has AAAA address 2620:171:801:714::1
> server a.ns.apple.com
Default server: a.ns.apple.com
Address: 17.253.200.1#53
Default server: a.ns.apple.com
Address: 2620:149:ae0::53#53
> mask.icloud.com
Server: a.ns.apple.com
Address: 17.253.200.1#53
mask.icloud.com canonical name = mask.apple-dns.net.
> mask.apple-dns.net
Server: a.ns.apple.com
Address: 17.253.200.1#53
Non-authoritative answer:
*** Can't find mask.apple-dns.net: No answer
Authoritative answers can be found from:
mask.apple-dns.net nameserver = ns-1462.awsdns-54.org.
mask.apple-dns.net nameserver = ns-49.awsdns-06.com.
mask.apple-dns.net nameserver = ns-1737.awsdns-25.co.uk.
mask.apple-dns.net nameserver = ns-781.awsdns-33.net.
> server ns-1462.awsdns-54.org
Default server: ns-1462.awsdns-54.org
Address: 205.251.197.182#53
Default server: ns-1462.awsdns-54.org
Address: 2600:9000:5305:b600::1#53
> mask.apple-dns.net
Server: ns-1462.awsdns-54.org
Address: 205.251.197.182#53
mask.apple-dns.net nameserver = ns-1462.awsdns-54.org.
mask.apple-dns.net nameserver = ns-1737.awsdns-25.co.uk.
mask.apple-dns.net nameserver = ns-49.awsdns-06.com.
mask.apple-dns.net nameserver = ns-781.awsdns-33.net.
Are you using pihole? It's default configuration blocks access to mask.icloud.com
I'm getting quite confusing results now. I was able to edit the title once but it does not let me edit again. Please change it back to the earlier non-obnoxious one.
I need to chase this down a bit and come back.
Oh god this is embarrassing. I must not have paid close enough attention in testing with other router.
I think this is Comcast securityedge having recently become enabled for some reason.
Glad it's working now. We all have days like this 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.