iPhone complains about OpenWrt "Blocking Encrypted DNS Traffic"

Hi

blocking-dns-traffic1600×1487 110 KB

cat https-dns-proxy

config main 'config'
	option update_dnsmasq_config '*'
	option force_dns '1'
	list force_dns_port '53'
	list force_dns_port '853'

config https-dns-proxy
	option listen_addr '127.0.0.1'
	option listen_port '5054'
	option user 'nobody'
	option group 'nogroup'
	option bootstrap_dns '185.213.26.187,45.67.219.208,5.2.75.75,45.79.120.233,2a0d:5600:33:3::3,2a04:bdc7:100:70::70,2a04:52c0:101:75::75,2400:8904:e001:43::43'
	option resolver_url 'https://doh.nl.ahadns.net/dns-query'

config https-dns-proxy
	option listen_addr '127.0.0.1'
	option listen_port '5053'
	option user 'nobody'
	option group 'nogroup'
	option bootstrap_dns '176.103.130.130,176.103.130.131'
	option resolver_url 'https://dns.adguard.com/dns-query'

config https-dns-proxy
	option bootstrap_dns '1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001,8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844'
	option resolver_url 'https://dns.digitale-gesellschaft.ch/dns-query'

I am confused

Should probably post the firewall file instead.

Try not forcing the dns force dns '0'

Please elaborate, I not understand

I force HTTPS DNS, I not block it. I wish to every device in my network uses this.

how-to list all FW rules without device specific MAC and IP addresses?

I think it is because you force the iphone by using your dns-proxy and don’t allow it’s using it’s own direct secured connection.

mask them out.

192.168 IPs aren't public, you can leave those in.

"""I think it is because you force the iphone by using your dns-proxy and don’t allow it’s using it’s own direct secured connection. """
That makes sense. Confirming, that the big bros like goggle and appel continue in their efforts to force the users under their secure (???) umbrella. To make shure, nobody can escape their advertisements, not to hurt their business. The forced usage of https was the first mayor unpleasant hit, because it practically eliminates the usage of web-caches and made content filtering harder, costing much more bandwidth, i.g. to be payed by the users.

Yes thats what i thought, forcing router dns doesn't allow apples own secure dns to work.

Yeah, if you'd install some local DNS -> DoH proxy/VPN app (don't know if those exist for IOS, they do for Android), it'd probably still complain, even though everything is actually very secure.

So that appel is able to track the users behaviour. And most likely the "Biggest Brother" NSA to participate.

OT: you could also see it that way that the network you are in is tracking your dns queries.
The iPhone does not know if the LAN DNS Server/Proxy is secure. It just informs the user that the current network does not allow secure dns from the enduser device to the internet. And of course all those apple services "iCloud Private relay", "do not track" etc ... uses this in some kind. E.g. if you enable the "Tracking of IP-Address" in the WIFI Settings.
I find your arguments interesting: https is bad because no content filter; apples information about forced dns is bad because of NSA

https bad: In every school there must be a content filter for the minors. Forced DNS must (most likely) be shared with NSA. I consider them to be able to decrypt.

dude, enough of that NSA talk already, stay on topic.

I use this profile on iOS https://github.com/paulmillr/encrypted-dns

Configuration profiles for DNS HTTPS and DNS over TLS for iOS 14 and MacOS Big Sur

Not understand it even more

Are those profiles configured for cellular network only?
I used https://dns.notjakob.com/tool.html to configure mine to my needs.

You setup your iPhone to use the above profile,
also configured your router to use a custom encrypted dns
and the iphone complains about blocking encrypted dns traffic,
so set in the iphone in your wlan settings set the dns server to manual and point it to your router

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.