Force DNS not working in mobile phones

boiler · January 21, 2023, 7:51am

I’m trying to force DNS all my devices in my network using Pi-Hole and I’ve already tried all the solutions in this forum (for seven days already). They work great when used on laptops. (The latest solution I have is this video from Mikrotik: https://www.youtube.com/watch?v=EdzDCkFaskc)

But, I just can’t get this working with mobile phones, e.g. Android. I can easily bypass the DNS I want to apply

Anyone knows how to force DNS the mobile phones?

The NAT rules are working on our laptops. I just want to implement it on our mobile phones

Pi-Hole Address: 192.168.5.125
Devices and Mikrotik ourter are in the same network: 192.168.5.0/24

reinerotto · January 22, 2023, 3:09am

There are a few issues, you have to consider, when doing this.

Is IPv6-DNS also redirected to pi-hole ?
Is DoH blocked ?
Is DoT blocked ?

Nowadays, quite often DoH is used by default. Which renders the method from the video useless.

kangarie · January 22, 2023, 5:01am

mobile phone / mobile browser are using secure dns / private dns

boiler · January 22, 2023, 5:31am

Thanks for the reply!

Q1: We don’t use iPV6 in our country so I’m not sure if our devices would use iPV6 DNS. But I’ll try to dig some guides just in case
Q2 and Q3: Have not considered doing this. I’ll do some research

boiler · January 22, 2023, 5:33am

Yeah, I’m aware of this, but I’m looking for solutions on the router level

reinerotto · January 22, 2023, 5:43am

You “simply” have to block all the IPs of the well-known DoH or DoT servers on the router, to force the usage of simple DNS.
Still a small loophole, in case somebody runs his private DoH-server, though. Or your list of well-known Doh/DoT-Servers is incomplete; requires regular updates, of course.

boiler · January 22, 2023, 10:06am

And it works!!! Thank you for suggesting

I followed this guide here: https://github.com/ncravino/mikrotik_enforce_dns_block_doh and added the IPs of the listed DoH servers in Mikrotik

I noticed, though, that the filter rule does not work. So I tried NAT and viola, it redirects to my Pi-Hole!

And this even bypassing the DNS servers (edit: I mean, Pi-Hole)

I’ll observe this in the coming days, but so far, the steps I made to bypass before are not working. They are redirected to Pi-Hole

reinerotto · January 23, 2023, 1:02am

I did something very similar, running openwrt on a mikrotik, to include customized DNS-server/recursor, similar to pi-hole, in same box.

asymptoticlizard · June 29, 2024, 10:36pm

Looks like Android has a setting called “Private DNS” that’s set to “Automatic” by default and that seems to make the device prefer to use google’s own DoH DNS servers ignoring the DHCP server ones. Disabling that setting makes the OS then honor the DHCP server’s list.