I lately noticed that Android Phones with Private DNS enabled cannot connect to my Wi-Fi, to be specific, they try to connect but then drop the connection with the error message "Privacy DNS Server not available".
This is because I added this Block list, to block known DoH server, since I don't want devices to circumvent Pi-Hole.
For Apple's Privacy Relay and Firefox' DoH there are two options in Pi-Hole to tell Apple devices or Firefox that these functionalities are not available on this network:
dns.specialDomains.iCloudPrivateRelay
dns.specialDomains.mozillaCanary
When this is enabled, Apple Devices disable Privacy Relay and Firefox doesn't use DoH. Do you know whether there is some special Domain that signals Android devices, that DoH is not available on the network or is the only way to make them connect, for the user to disabled Private DNS for my network?
As far as I am aware of, Android does not query a canary domain, but only offers an 'Automatic' option that would use DNS servers as announced by your network, which should have it fallback to plain DNS if your router only propagates that, but switching to that would deprive you from picking your own preferred DoT servers.
I personally don't use it, but run a Wireguard server next to Pi-hole, with my smartphone's Wireguard app enabling me to use my Pi-hole for DNS from remote networks.
I got my hand on a Samsung S23 FE. That was set to "Automatic" and had no issues connecting. So, I wonder if there might be something else going on with the phones that cannot connect? Maybe something related to the specific Android version on these phones or some OEM shenanigans.
AFAIK, the settings for Firefox and Private Relay return an NXDOMAIN, don't they? So if I return NXDOMAIN for all blocked domains instead of NULL would there be any downsides?
I doubt that would make a difference, but instead of switching blocking mode for all of Pi-hole's replies, you could use a regex rule to test that for just a given DoT server domain, like: