Manual host entry @ OpenWrt DNS prevents Android from resolving

I've got a "TP-Link TL-WDR4900 v1" running "OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd".

The Dnsmasq DHCP+DNS Server is active and I've got a few services running that are visible to the outside internet. To access them faster from the inside without going through my ISPs DSL Modem = Fritzbox which is limited through the SQM service running on my OpenWRT router I've added a manual host entry pointing my dyn-dns domain to the local ip address that hosts those services.

This works perfectly for most devices, but a few of the android phones in my household give "unknown host" resolving errors for my dyn-dns domain whenever I have mapped it using that manual host entry. Without it, everything works fine but the slow speed is annoying for a local service.

Does anybody have any ideas how to debug this issue or workaround it? I don't want to move the local mapping onto the devices, which would multiply the manual host entries and prevent them from phone home when they are outside.

I assume DoT is disabled on Android, and DoH in the browsers?


Thanks for your reply!

After reading the link you provided, I learnt that DoT = "DNS over TLS" & DoH = "DNS over HTTPS". I suspect that's what my MIUI Android phone calls "private DNS", though it doesn't offer a choice between those two. I've tried that set to both "off" & "auto", both leave the phone unable to resolve my domain as long as I have a manual host entry on my OpenWRT router mapping it to a local IP.

Writing this up gave me an idea to try out: Mapping my domain manually to my outside IP-Address using a manual host entry the same way I've used it to map it to a local IP-address before works without hindering android devices from resolving it as a host-name. So the issue lies only with using a local IP-address for such a mapping. (And only on some of my Android devices.)

Also mapping an arbitrary non existing domain name on my OpenWRT DNS hostnames tab to an external, public IP-Adress works and makes that domain name browsable on my android phone. Directly browsing to the private LAN-IP hosting my website also works (though of course both these methods yield ssl errors that need to be manually skipped in a browser).

But trying to access a domain name mapped to a private LAN-IP always fails on this android phone. Even trying to ping that domain name via Termux or adb shell gives an "unknown host" error. Using the nslookup command installed in termux works fine, but that seems to be independent of the actual resolution used by everything else including ping.

I've worked around the issue at least for http & https by instead creating a firewall port forward rule that forwards all traffic from LAN to my external IP to the host providing those services.

Strangely the same doesn't work for iperf3 port 5201, there the replies come from the internal ip as src intead of the external IP like for http & https. That internal IP confuses the iperf3 client which resets the connection instead of ACKnowledging it.

I thought that the "NAT Loopback" option in the Advanced Tab for that firewall port forward rule would take care of rewriting the src/dst fields accordingly, but strangely http & https always work (and replies come from the correct src that was the target of the request, no matter if I activate "NAT Loopback" and what I select as a Loopback source IP. Iperf3 never works with such a forward rule.