[ISSUE] The official position on Private DNS support? (DNS-over-TLS and DNS-over-HTTPS)

[mowanotm]

Currently the DNS request on non-53 port is blocked. User of Private DNS will have issue of "no internet access".
One temporary solution for user is to put custom script to get around the issue:
$IPTABLES -I "afwall" -p tcp --dport 853 -j ACCEPT -m comment --comment "DNS-over-TLS"
$IPTABLES -I "afwall" -p tcp --dport 443 -j ACCEPT -m comment --comment "DNS-over-HTTPS"

But, What are the recommended solution for the issue? Given the popularity of using Private DNS, please put the solution on FAQ.

[intika]

I "may" understand allowing tcp 853, but allowing all the 443 https traffic as a solution does look a great idea, basically we allow all web traffic for unknown apps/binaries/system/kernel just to fix this, and on top of it without an option for it on the settings... I know its not easy to implement support for this through iptables tho

@ukanth please make this feature optional as it introduce some serious security concern

A more secure implementation could be using the dns-over-tls servers's IPs (limiting the rule to specific IP) most used servers have fixed address... an other alternative could be to resolve the used domain on private dns settings and use its IP in the rule, an other solution is to add some settings for it on the app to allow needed ip/domains/ports...

Most used dns over tls :

one.one.one.one (1.1.1.1)
1dot1dot1dot1.cloudflare-dns.com (1.0.0.1)
dns.google (8.8.4.4)
dns.quad9.net (149.112.112.112)

Other usual servers:

8.8.4.4,443
8.8.8.8,443
149.112.112.112,443
9.9.9.9,443
149.112.112.9,443
9.9.9.10,443
149.112.112.10,443
9.9.9.11,443
149.112.112.11,443
104.28.1.106,443
104.28.0.106,443
45.90.28.0,443
45.90.30.0,443
176.103.130.131,443
176.103.130.130,443
176.103.130.132,443
176.103.130.134,443
96.113.151.147,443
185.228.168.9,443
185.228.169.9,443
185.228.168.168,443
185.228.169.168,443
185.228.168.10,443
185.228.169.11,443
1.1.1.1,443
1.0.0.1,443

[intika]

anyway here is what I am using on custom script to fix that

iptables -I afwall -p udp --dport 53 -m owner --uid-owner root -j ACCEPT
iptables -I afwall -p tcp --dport 853 -d 1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 -m owner --uid-owner root -j ACCEPT