[SOLVED] Configuring DoH on router correctly (Restricted by ISP)

Installing and Using OpenWrt
1

Hello

First of all some basic information of my system:

Router Model: Xiaomi Mi Router 4A (100M International Edition V2)
Firmware Version: OpenWrt 24.10.0-rc3 r28202-8667ca841b / LuCI openwrt-24.10 branch 24.355.00587~f92e072

My Problem is the following: My ISP is blocking VPNs, proxies and custom DNS servers, so configuring a custom DNS server in e.g. Windows or Android like 8.8.8.8 or 1.1.1.1 doesn't work and I can't use the web.

However I've realized that I can use DoH on Google Chrome using their settings! These are the working settings:

image
image898×433 22.4 KB

I've tried to install https-dns-proxy and luci-app-https-dns-proxy and putting in the DNS information there but I can't seem to get it to work properly.

For example I've configured OpenDNS like this:

image
image911×768 13.4 KB

and I have standard Cloudflare DNS configuration like this:

image
image912×766 13.4 KB

and unfortunately it still doesn't work.

Oddly enough when I use Cloudflare as a DoH (in Chrome & DoH disabled in Router) and go to https://1.1.1.1/help I get no connection in the browser but when I go to https://one.one.one.one/help I get this:

image
image503×804 33.9 KB

I doubt that Google Chrome is using magic and I suspect that I might be doing something wrong.

How can I fix this?

2

Google created and often uses the QUIC protocol - which is:

" QUIC was developed with HTTP in mind, and HTTP/3 was its first application. [34] [35] DNS -over-QUIC is an application of QUIC to name resolution, providing security for data transferred between resolvers similar to DNS -over-TLS. [36]"

this may play a role with google's success. Your ISP may not be filtering the QUIC protocol, but will catch plain DoH?

3

Try setup a custom DoH server and use an IP address instead of a domain e.g.:

https://185.222.222.222/dns-query
or
https://45.11.45.11/dns-query

Alternatively setup a VPN first and use that

1 Like
4

I am unsure if this is what you mean but I've tried this config and it is not working:

image
image896×747 12.3 KB

5

I am unsure tbh.

Do you think that the OpenDNS, Cloudflare and DNS.SB servers support QUIC? Is there any way I can test if it gets filtered from my ISP?

I've never heard about this protocol

6

Use custom as Provider:

afbeelding
afbeelding1248×913 42.3 KB

config https-dns-proxy
	option resolver_url 'https://45.11.45.11/dns-query'
	option listen_addr '127.0.0.1'
	option listen_port '5055'
	option user 'nobody'
	option group 'nogroup'

Make sure to drag it to the top of the list if you have more DNS servers configured:

afbeelding
afbeelding1207×359 22 KB

Maybe it works, maybe not, otherwise setup a VPN

1 Like
7

post the output of

nslookup duckduckgo.com
nslookup duckduckgo.com 1.1.1.1
nslookup duckduckgo.com  127.0.0.1:5053
cat /etc/config/https-dns-proxy
ping 1.1.1.1
traceroute 1.1.1.1

*you can hide (part of) your public ip in traceroute

8

This is :fire::fire::fire:

As you can see in my previous post I put that IP into the Bootstrap DNS field and set the Provider as Custom. However when I opened the Dialog again it showed AdGuard because I did not add any Parameters (I did not know the address was supposed to be the parameter :man_facepalming:)

It WORKS now! Thanks :pray::pray::pray:

My guess is if I want to add the other address too I need to seperate the "Parameters" by a comma? E.g. https://45.11.45.11/dns-query,https://185.222.222.222/dns-query ?

9

It works now.

My issue was that I put in the IP address / the domain name into the "Bootstrap DNS" field instead of the "Parameter" field!

10

I think you have to add another Custom provider with that address and a different port but otherwise the same.

You do not need a bootstrap as you are using an IP address.
Bootstrap uses plain DNS and that might be blocked by your ISP so to get around this we use an IP address as URL.

Maybe you can use https://1.1.1.1/dns-query also but they might be just blocking traffic to 1.1.1.1 and not to the not so well known dns.sb servers.

2 Likes
11

Maybe you can use https://1.1.1.1/dns-query

Unfortunately not. I think they specifically block this IP and the alternative 1.0.0.1 one. I've tried both with the /dns-query but I don't get anything.

Oddly enough I can ping them.

I wonder still how google chrome does it. Maybe Cloudflare has a different address too?

12

I've also noticed that I cannot use the regular domain names of the DoH servers like OpenDNS because they get blocked too.

Fortunately https://[IP]/dns-query works fine...

Very odd

13

Probably because the browser uses ESNI/ECH. (?)
As far as I know Chrome, Firefox and Opera support it.

Yes.
You can see it in the certificate used in the doh server query url.
The easiest way is to use firefox browser.

Cloudflare-Certificate

14

Thanks for confirming that they really hard block DNS ip addresses, luckily they did not block the lesser known such as the ones you are using.

But in due time they will too and you might have to revert to using a VPN

15

to confirm if it really blocks let's see the output of

nslookup duckduckgo.com 1.1.1.1
nslookup duckduckgo.com 1.0.0.1
16

My advice: change this ISP if you can.

With the behaviour your ISP shows I won't surprised that they do way more.
And it's actually easy to track the number of DNS requests you make to their DNS server (heck they block other DNS to force you use just their own DNS server, and for me forcing me to use their DNS server = ISP tracking everything I do on internet something I find as not acceptable , they can have other reasons like trying to reinforce some laws but I disagree with this , I consider that I should be allow to break the law if this is what I want because I'm ok with the idea of the law being applied to me if I brake it (u can buy a gun after you get the license for it, if you use the gun to unmotivated shoot someone u go to jail, stoping this to happen will mean no civilian is allow to have a gun) and the total amount of traffic you do. And if you have a nice 0 requests on their DNS servers and with 100 MB or more of traffic it will be obvious that you are bypassing their enforced DNS servers and from this moment I would expect them to actually log all the traffic you do until they figure it out how you are bypassing it. Once they figure it out they will block it, don't be surprised if they will suspend your internet access for bypassing their reinforced DNS servers.

1 Like
17

Ok, so I've set 1.1.1.1/dns-query and 1.0.0.1/dns-query as my DNS servers and the nslookup looks like this:

C:\Users\PSPlover>nslookup duckduckgo.com 1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\PSPlover>nslookup duckduckgo.com 1.0.0.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  1.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
18

How do I see that in chrome? 1.1.1.1, 1.0.0.1 and cloudflare-dns.com don't work in https-dns-proxy.

19

Haha they are blocking VPNs too :sweat_smile:

20

I'd like to but at the moment I can't switch ISPs