I have been searching few days to get the "private DNS mode" setup in Openwrt, where a similar option can be found in Android 9 above, using this method, I don't need to install an additional app on the phone, yet I can enjoy blocking ads if I use "dns.adguard.com" for example.
Perhaps a small or similar lightweight DNS proxy server package add-on can do the work?
Running Adguardhouse server on the box is going to eat up huge resources esp on the normal off-the-shelf router.
Something like Stubby?
Refer to Google Android phone, this is basically the DNS over TLS support brought by introducing the Private DNS feature. It's to encrypt all DNS traffic on the phone and enabled by default and uses a secure channel to connect to the DNS server if the server supports it.
However, I have added dns.aguard.com in the stubby.yaml, it does not seem to work, not sure if I have missed out anything?
# Note: by default on OpenWRT stubby configuration is handled via
# the UCI system and the file /etc/config/stubby. If you want to
# use this file to configure stubby, then set "option manual '1'"
# in /etc/config/stubby.
resolution_type: GETDNS_RESOLUTION_STUB
round_robin_upstreams: 1
appdata_dir: "/var/lib/stubby"
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5453
- 0::1@5453
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
## Adguard Default servers ipv4
- address_data: 94.140.14.14
tls_auth_name: "dns.adguard.com"
- address_data: 94.140.15.15
tls_auth_name: "dns.adguard.com"
you could also try https-dns-proxy for DoH.
Tried https-dns-proxy, but it doesn't block it example I am still able to open up the adult website without any problem.
Is force dns enabled in https-dns-proxy?
Have you opened "the adult web-site" from the same client before?
Does that client use DoH/DoT/VPN service of their own?
It is already forced and no VPN client is running.
