Prevent privacy warning issued by iOS

I am operating a router (192.168.1.1) provided by my ISP. Unfortunately, its WiFi performance is quite weak. Therefore, I have attached a TP-Link Archer C6 (192.168.1.2) to it via Ethernet and want to operate the device as a wireless access point (AP). To do so, I have installed OpenWrt 21.02.0 and closely followed these steps via the web interface.

In principle, this setup works exactly how I expect it work. However, there is one problem: When I connect to one of the WiFi networks provided by the AP via iOS, the following warning is shown:

Privacy Warning
This network is blocking encrypted DNS traffic.

The names of websites and other servers your device accesses on this network may be monitored and recorded by other devices on this network.

I have no idea why this is happening and, obviously, would like to get rid of this warning.

Here are a few more remarks to pinpoint the problem:

  • I have verified that my iOS device automatically detects 192.168.1.1 as its DNS server.
  • Manually setting the DNS server to 192.168.1.1 does not solve the issue.
  • There is no DNS server running on the OpenWrt router, i.e., on 192.168.1.2.
  • Manually setting the DNS server to a non-existent IP address on iOS leads to a situation where domains cannot be resolved anymore, but it still does not cause the warning to disappear.
  • If I connect to the same network via the primary router's WiFi, I am not presented with this warning. This is even true if the OpenWrt device at 192.168.1.2 part of the network.
  • This warning is not issued if the stock firmware of the TP-Link router is used.

To summarize: My current OpenWrt setup seems to do something with the packages it physically exchanges with the iOS device. Whatever it is, it causes iOS to issue the warning shown above.

Does anyone have an idea how to tackle this issue?

I have this warning as well, curently living with the warning.

I have 2 OpenWRT routers placed at different homes (also different Internet providers, hence different WAN iP), but with the same SSID and WiFi secret, one on 5 and the other on 2.4 GHz.
After I have roamed around in this scenario, eventually the warning comes up in the iOS settings section.

This iOS warning is said to be due to some of the recent iOS updates, that rolled out new warning features about potential privacy issues to iOS. I think the iOS privacy wifi MAC feature, where iOS can dynamically switch the MAC address from time to time, was added in the same update.
Apple points to https://support.apple.com/en-us/HT202068, which so far did not help me further to narrow it down it.

My guess is that iOS assumes that such a multi-AP-WiFi is no longer a typical privacy-compliant home WiFi, once iOS has joined to several different WiFi configs that obviously share the same SSID and secret, but clearly differ in other network settings.
It could be in this case that iOS assumes that you are joined to some larger public place WiFi, where other WiFi users might also be joined that could see some of your traffic.
Probably iOS would then prefer using encrypted DNS in such a public WiFi place, but does not find such a DNS config, now still working fine, just warning you about the potential privacy problem.

So the error message may be a bit missleading, iOS does not really need encrypted DNS in general since the recent updates, its maybe just that since newer versions iOS is more sensitive to what it thinks is a privacy-compliant WiFi and when it would prefer added security in place.

I had this problem a few months ago and unfortunately can’t remember how I fixed it, but I think it may have been related to apples new private relay feature, so if you have that try disabling it and also disabling limit IP address tracking for your network in iOS settings.

I have a hunch that iOS is showing this message because of my TLS over DNS using stubby setup.

But if others also get this message even without TLS over DNS, then I don't know what it is....

I have a hunch most stock firmwares are using this. (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns) I can confirm the E5600 stock firmware does use this as there is a telnet vulnerability that allows you to login to the router. I was able to see the firewall config file in stock firmware where this is in fact in the config. Also no matter which DNS you apply from the UI the stock firmware always defaults to the ISP provided DNS.

On flashing openwrt on the same device I do not get this warning. I dont even reconnect to the wifi just kept the same ssid and my devices autoconnected and still the warning was gone.