I currently use luci-app-https-dns-proxy, adblock-lean, luci-app-acme and luci-app-banip to serve my router admin UI over a trusted HTTPS domain and for banning a decent amount of IPs and domains on my MR90X (128/512 Filogic 830) which is running dual stack.
However, I have noticed that all Chromium based browsers have an annoying issue where if your client device's DNS is not resolved over DoH by the browser, EncryptedClientHello is disabled.
Setting up DoH on OpenWRT for more privacy becomes useless if my ISP can snoop the domain names with SNI when ECH is disabled.
I'd like to know if anyone here has been able to set up a working DoH proxy (to proxy the local dnsmasq instance over DoH) on OpenWRT routers with limited resources. Preferably something that doesn't break LuCI or require massive packages. Because I've tried various group policy and other solutions to force-enable ECH on Chromium based browsers but it just doesn't work without DoH.
I have tried to set up a DoH proxy myself by using this shell script with uhttpd CGI, but the minimum latency was ~120-200ms which felt a bit much to me. Another alternative I tried was using an ucode script instead of a shell script with ChatGPT's help (since ucode doesn't have too many examples) and the latency improved to about a ~60ms minimum but I kept facing TLS handshake failures with the in-built Windows DNS Client after setting it up as the default DoH resolver for my system. I'm not sure if it's my code, ucode, or uhttpd that's causing the issue.
There have been some threads discussing DoH server hosting in the past but nothing conclusive, so if anyone has a solution to my ucode CGI script issue or another solution for a DoH server/proxy, please let me know!