Hello!,
So I'm testing a setup but i can't figure out why i have so many resolver issues when hijacking port 53.
I even got a few cases my resolver turned into mullvad's when I never defined this anywhere, i just can't figure out anymore how strange the issue seems to appear.
the only thing i noticed is when i don't use package luci-app-nextdns or luci-app-https-dns-proxy it often works as expected, though it doesn't explain to me why the features in luci-app-https-dns-proxy won't override my client dns.
i disabled peerdns on both wan and wgclient, i also made sure i have no default routes from these interfaces.
ubus board info (custom build from main branch)
root@MT6000:~# ubus call system board
{
"kernel": "6.6.59",
"hostname": "MT6000",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r28220-7a1d367853",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r28220-7a1d367853",
"builddate": "1731159380"
}
}
network configuration
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '2'
option steering_flows '256'
option ula_prefix '<snip>'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
option igmp_snooping '1'
option multicast_querier '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'vx0'
list ports 'phy0-ap0'
list ports 'phy1-ap0'
config interface 'lan'
option device 'br-lan.169'
option proto 'static'
option ipaddr '10.234.53.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option proto 'pppoe'
option device 'eth1.6'
option username '<snip>'
option password 'ppp'
option ipv6 '0'
option sourcefilter '0'
option delegate '0'
option classlessroute '0'
option mtu '1500'
option peerdns '0'
config bridge-vlan
option device 'br-lan'
option vlan '169'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '49'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '53'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '89'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'vx0:t'
config interface 'aria'
option proto 'static'
option device 'br-lan.6'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'pcnet'
option proto 'static'
option device 'br-lan.49'
option ipaddr '10.34.79.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'wlan0'
option proto 'static'
option device 'br-lan.50'
option ipaddr '10.234.80.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'wlan1'
option proto 'static'
option device 'br-lan.51'
option ipaddr '10.234.81.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'iot'
option proto 'static'
option device 'br-lan.52'
option ipaddr '10.33.77.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'tvnet'
option proto 'static'
option device 'br-lan.53'
option ipaddr '172.22.33.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'ps5'
option proto 'static'
option device 'br-lan.89'
option ipaddr '10.56.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'ayaneo'
option proto 'static'
option device 'br-lan.90'
option ipaddr '10.87.32.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'aqaranet'
option proto 'static'
option device 'br-lan.178'
option ipaddr '10.233.10.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'hwnet'
option proto 'static'
option device 'br-lan.179'
option ipaddr '10.182.32.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'wifivpn'
option proto 'wireguard'
option private_key '<snip>'
option listen_port '51820'
list addresses '10.39.95.1/24'
option defaultroute '0'
option multicast '1'
option delegate '0'
option mtu '1500'
config wireguard_wifivpn
option description 'poco-x6-pro'
option public_key '<snip>'
option private_key '<snip>'
option preshared_key '<snip>'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '10.39.95.2/32'
config wireguard_wifivpn
option description 'ayaneo'
option public_key '<snip>'
option private_key '<snip>'
option preshared_key '<snip>'
list allowed_ips '10.39.95.3/32'
option endpoint_port '51820'
config interface 'wgclient'
option proto 'wireguard'
option private_key '<snip>'
list addresses '10.64.132.53/32'
option defaultroute '0'
option mtu '1500'
option force_link '1'
option delegate '0'
config wireguard_wgclient
option description 'Netherlands_nl-ams-wg-001'
list allowed_ips '0.0.0.0/0'
option endpoint_host '<snip>'
option endpoint_port '3004'
option persistent_keepalive '0'
option public_key '<snip>'
option disabled '1'
config bridge-vlan
option device 'br-lan'
option vlan '23'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config interface 'tvboxnet'
option proto 'static'
option device 'br-lan.23'
option ipaddr '192.168.59.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
config interface 'wgserver'
option proto 'wireguard'
option private_key '<snip>'
option listen_port '4443'
list addresses '10.6.7.1/24'
option force_link '1'
option defaultroute '0'
option delegate '0'
option mtu '1500'
config wireguard_wgserver
option description 'MT3000'
option public_key '<snip>'
option endpoint_port '4443'
list allowed_ips '10.6.7.2/32'
option private_key '<snip>'
option persistent_keepalive '25'
option endpoint_host '<snip>'
option route_allowed_ips '1'
config bridge-vlan
option device 'br-lan'
option vlan '90'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'vx0:t'
config bridge-vlan
option device 'br-lan'
option vlan '52'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '178'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'phy1-ap0'
list ports 'vx0:t'
config bridge-vlan
option device 'br-lan'
option vlan '51'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'phy0-ap0'
list ports 'vx0:t'
config bridge-vlan
option device 'br-lan'
option vlan '179'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan4:t'
list ports 'lan5:t'
config route
option interface 'wifivpn'
option target '224.0.0.0/4'
option type 'multicast'
option table 'main'
config interface 'vx0'
option proto 'vxlan'
option peeraddr '10.6.7.2'
option tunlink 'wgserver'
option defaultroute '0'
option delegate '0'
option vid '4921'
option ipaddr '10.6.7.1'
option rxcsum '0'
option txcsum '0'
firewall
root@MT6000:~# cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'aria'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'aria'
config zone
option name 'pcnet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'pcnet'
config zone
option name 'wlan0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wlan0'
config zone
option name 'wlan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wlan1'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config zone
option name 'tvnet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tvnet'
config zone
option name 'ps5'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'ps5'
config zone
option name 'aya'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'ayaneo'
config zone
option name 'aqara'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'aqaranet'
config zone
option name 'hwnet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'hwnet'
config zone
option name 'wgclient'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wgclient'
list network 'wg_pia'
config forwarding
option src 'aria'
option dest 'wgclient'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'tvnet'
option dest 'wan'
config forwarding
option src 'ps5'
option dest 'wgclient'
config forwarding
option src 'aya'
option dest 'wgclient'
config forwarding
option src 'aqara'
option dest 'wan'
config forwarding
option src 'hwnet'
option dest 'wan'
config zone
option name 'tvboxnet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tvboxnet'
config forwarding
option src 'tvboxnet'
option dest 'wan'
config rule
option name 'allow-vpn-bypass'
option target 'ACCEPT'
option mark '0x10000/0xff0000'
option src '*'
option dest 'wan'
config rule
option src 'wgserver'
option dest 'lan'
list dest_ip '10.234.53.3'
option target 'ACCEPT'
option name 'allow-backup-ip'
config rule
option src 'wifivpn'
option dest 'lan'
option target 'ACCEPT'
option name 'management'
list proto 'all'
list dest_ip '10.234.53.3'
list dest_ip '10.234.53.10'
list dest_ip '10.234.53.20'
list dest_ip '10.234.53.25'
list dest_ip '10.234.53.15'
list dest_ip '10.234.53.27'
config zone
option name 'wgserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wgserver'
config forwarding
option src 'wgserver'
option dest 'wgclient'
config rule
option name 'allow-maintenance'
option src 'pcnet'
option target 'ACCEPT'
option dest 'lan'
list proto 'all'
list dest_ip '10.234.53.10'
list dest_ip '10.234.53.3'
list dest_ip '10.234.53.15'
list dest_ip '10.234.53.20'
list dest_ip '10.234.53.25'
list dest_ip '10.234.53.26'
list dest_ip '10.234.53.27'
config rule
option name 'wgserver-allow-vxlan'
option src 'wgserver'
option dest_port '4789'
option target 'ACCEPT'
config redirect
option target 'DNAT'
list proto 'udp'
option src 'wan'
option src_dport '4443'
option dest 'wgserver'
option dest_ip '10.6.7.1'
option name 'forward-wgserver'
option dest_port '4443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'forward-backup-vpn'
list proto 'udp'
option src 'wan'
option src_dport '4445'
option dest_ip '10.234.53.3'
option dest_port '4445'
config redirect
option dest 'wgserver'
option target 'DNAT'
option src 'pcnet'
option src_dport '4443'
option dest_port '4443'
option dest_ip '10.6.7.1'
list proto 'udp'
option name 'forward-wgserver'
config zone
option name 'wifivpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wifivpn'
config forwarding
option src 'wifivpn'
option dest 'wgclient'
config redirect
option target 'DNAT'
option src 'lan'
option src_dport '4443'
option dest_port '4443'
option dest_ip '10.6.7.1'
option name 'allow-wgserver-to-lan'
option dest 'wgserver'
list proto 'udp'
config forwarding
option src 'lan'
option dest 'wgserver'
config rule
option name 'allow-mt3000'
list proto 'all'
option src 'pcnet'
option dest 'lan'
list dest_ip '10.234.53.21'
option target 'ACCEPT'
config forwarding
option src 'pcnet'
option dest 'wgclient'
config rule
option name 'allow-wifivpn'
option src 'wlan0'
option dest_port '51820'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'allow-wifivpn'
list proto 'udp'
option src 'wlan1'
option dest_port '51820'
option target 'ACCEPT'
config rule
option name 'allow-printer'
option src 'pcnet'
option dest 'iot'
option target 'ACCEPT'
list dest_ip '10.33.77.5'
config rule
option name 'Allow-printer'
option src 'wifivpn'
option dest 'iot'
option target 'ACCEPT'
list dest_ip '10.33.77.5'
config forwarding
option src 'wlan0'
option dest 'wifivpn'
config forwarding
option src 'wlan1'
option dest 'wifivpn'
config rule
option src 'wifivpn'
option dest 'ps5'
list dest_ip '10.56.2.2'
option target 'ACCEPT'
config rule
option src 'wifivpn'
option dest_ip '224.0.0.0/4'
option target 'ACCEPT'
config rule
list proto 'udp'
option src 'wifivpn'
option dest 'iot'
option dest_port '5353'
option target 'ACCEPT'
config rule
list proto 'tcp'
option src 'wifivpn'
option dest 'iot'
option dest_port '8007-8009 5443 1900 10001 10101 80'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option src 'iot'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'ps5'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'wifivpn'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'tvnet'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'tvboxnet'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'aqara'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'aya'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'hwnet'
option src_dport '53'
config redirect
option target 'DNAT'
option src 'pcnet'
option src_dport '53'
config rule
option src '*'
option dest 'wan'
option dest_port '853'
option target 'REJECT'
option name 'block-dns-over-tls'
config rule
option name 'block-dns-over-tls'
option src '*'
option dest 'wgclient'
option dest_port '853'
option target 'REJECT'
config rule
option src '*'
option dest_port '8080'
option target 'ACCEPT'
config forwarding
option src 'pcnet'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
dhcp
config dnsmasq
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
option domainneeded '1'
option localise_queries '1'
option confdir '/tmp/dnsmasq.d'
option dnsseccheckunsigned '0'
option noresolv '1'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
option doh_backup_noresolv '1'
list doh_backup_server '8.8.8.8'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'aria'
option interface 'aria'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'pcnet'
option interface 'pcnet'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'wlan0'
option interface 'wlan0'
option start '2'
option limit '150'
option leasetime '12h'
option force '1'
config dhcp 'wlan1'
option interface 'wlan1'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'iot'
option interface 'iot'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'tvnet'
option interface 'tvnet'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'ps5'
option interface 'ps5'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'ayaneo'
option interface 'ayaneo'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'aqaranet'
option interface 'aqaranet'
option start '2'
option limit '150'
option leasetime '12h'
option ra_useleasetime '1'
config dhcp 'hwnet'
option interface 'hwnet'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'tvboxnet'
option interface 'tvboxnet'
option start '2'
option limit '150'
option leasetime '12h'
^ note: the doh backup server is not the issue, wether i set my dns on my windows machine the issue occurs.
pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'vx0'
list ignored_interface 'br-lan.169'
list ignored_interface 'br-lan.23'
list ignored_interface 'br-lan.53'
list ignored_interface 'br-lan.52'
list ignored_interface 'br-lan.178'
list ignored_interface 'br-lan.179'
list ignored_interface 'wgserver'
list ignored_interface 'br-lan.89'
option nft_file_support '1'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '50'
option procd_reload_delay '1'
option webui_show_ignore_target '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'wgclient'
list supported_interface 'wifivpn'
config policy
option name 'ignore-all-local'
option dest_addr '10.0.0.0/8 172.16.0.0/12 192.168.0.0/16'
option interface 'ignore'
config policy
option name 'bypass domain'
option src_addr '10.6.7.0/24 10.234.80.0/24 10.87.32.0/24 10.34.79.0/24 10.39.95.0/24 10.56.2.0/24'
option interface 'wan'
option dest_addr 'spotifycdn.com scdn.co sony.akadns.net prod.dl.playstation.net.edgesuite.net sonycoment.loris-e.llnwd.net prod.dl.playstation.net steamcontent.com jumbo.com gls-info.nl outlook.com live.com postnl.nl vlscppe.microsoft.com git.openwrt.org underarmour.nl live.com microsoft.com outlook.com rewasd.com spotify.com worldpay.com whatismyip.com aqara.com reddit.com grc.com'
config policy
option name 'cascade-vpn'
option src_addr '10.6.7.0/24'
option interface 'wgclient'
config policy
option name 'route-vpn'
option src_addr '10.234.80.0/24 10.39.95.0/24 10.6.7.0/24 10.34.79.0/24 192.168.99.0/24 10.87.32.0/24'
option interface 'wgclient'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option src_addr '10.56.2.0/24'
option interface 'wgclient'
https-dns-proxy
config main 'config'
option canary_domains_icloud '1'
option canary_domains_mozilla '1'
option dnsmasq_config_update '*'
option force_dns '1'
list force_dns_port '53'
list force_dns_port '853'
option procd_trigger_wan6 '0'
config https-dns-proxy
option resolver_url 'https://dns.nextdns.io/<snip>'
option bootstrap_dns '8.8.8.8'
i think i did something wrong somewhere or it must be a bug, i used ipconfig /flushdns, i also restarted dnsmasq, i also forced a dns by changing it to ensure its not bypassing the dns due to a packet handshake with the firewall.
if i use stubby my port hijacking works, but something seems to go wrong with DOH and the dnsmasq resolver/forwarder in specific, maybe i just misunderstood something about hijacking with doh.
the clients dns resolver is non doh, in Windows i can ensure to use non doh, but it still doesn't hijack dns once doh is involved in the router for some reason.
it must follow this im i correct?
pc -> dnsmasq ip at 0.0.0.0 -> forwards to doh resolver server.
