Blocking ISP advertised DNS

Hello,

My topology is as follows: x86 OpenWRT Router -> Belkin RT3200 as Wi-Fi dumbAP. My ISP provides me with PPPoE connection with a IPv6 address. My issue is that the IPv6 address also comes with ISP advertised DNS resolver. This resolver seems to take precedent over my own defined DNS resolvers set in the WAN and WAN6 interface. Here is how my WAN and WAN6 interface Advanced Settings look like:
WAN:

WAN6:

Interestingly enough, although I have the option, "Use DNS servers advertised by peer" unticked, I still see the following in the Status-> Overview panel

Note here that the ISP's DNS resolvers are still showing in the DNS list, although at number 3&4, even though I have unchecked the option to "Use DNS servers advertised by peer".
Now. When I check with dnsleaktest.com to see who my DNS resolver is, it isn't Quad 9, as I have requested, but still the advertised ISP DNS resolver:

This is rather curious. I would like to use my own stated DNS resolvers, instead of the ISP's and wonder how I might go about it.

they could be intercepting your DNS requests.

this might be wrong, but yet OK, WAN DNS IPs <> client DNS IPs.
what DNS IPs have your clients got ?

install https-dns-proxy, it'll be harder intercept.

This seems to be the only solution I have found so far. Ideally though, I would like to install Adguard Home, which doesn't seem to be able to deal with the ISP's interception. The reasoning behind this would be the added DNS filters that Adguard provides. Although, admittedly, ControlD provides some of this fuctionality with their DOH servers in https-dns-proxy.

I'm not quite sure what you mean here. Do you mean WAN DNS IPs are not the same as client DNS IPs?

Thanks for providing some food for thought.

never used AGH, but if they send their requests in clear text, then yes, the same will happen with their DNS traffic.

by default they would be (technically, the router IP would be DNS, and it'd then use whatever is defined for the WAN port), but it's obviously, as always, a matter of configuration

in openwrt there are (at least) DNS settings for

• WAN
• LAN
• clients

keep in mind client apps and OSes have a will of their own

browsers will use predefined DoH servers
apps could use hardcoded DNSes
OSes could use predefined DoT or DoH servers

Looks as though it supports various secure DNS protocols

They are setup to use DHCP advertised DNS servers.

True. When my ISP sent me the confirmation of my IPv6 address, they stated that, " Zen has an IPv6-only DNS resolver (located at 2a02:8010:1::212:23:3:100) which is applied to routers who request it over DHCPv6" So the only setting that I could think would apply to this, is the one I unticked, "Use DNS server advertised by peer." I am not sure where else this option should be disabled.

The beauty of Adguard is you can specify your own DOH servers and have ad related queries dealt with appropriately.

yes. but what are those ?

that's why I said it's wrong, but still not an issue, since you can make the clients use something completely different.

assuming your clients actually use the DNS IPs you provide them with, check my last post.

They should be the ones that I have setup on my router's DHCPv6 interfaces? No?

Client/Host side configuration is an option, but to setup each device seems like the long way around to me when I simply want clients to use the ones that I am advertising through DHCPv6.

those are the LAN side DNS settings, they don't apply to clients.

again, what DNS IPs are you clients getting ?

that's why you should advertise them via the DHCP.

Thank you for sticking with me, I can understand it must seem frustrating to someone who gets these concepts. IPv6 is new territory for me. Okay I now think that you are saying that checking the "use dns servers advertised by peers" will advertise the custom dns servers to my hosts/clients?

no, you should use option 6 from https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options via cli or in

for additional info, read https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Options

I don't think it is necessary to advertise different nameservers to the clients by DHCP option 6. By default the OpenWrt will be advertised and it will then forward the query accordingly to ADG or whatever upstream forwarder it is configured. It will anyway not solve the problem of ISP hijacking DNS.

Explicitly set wan6 to ignore the ISP-advertised DNS. The option is missing in some LuCI versions.

uci set network.wan6.peerdns='0'
uci commit network

Okay. I have restarted the router after amending the network file to look like this:

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1.911'
	option username 'redacted'
	option password 'redacted'
	option delegate '0'
	option ethtool_opts 'rx-usecs 0'
	option ipv6 '1'
	option dns_metric '0'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'
	option dns_metric '0'
	option peerdns '0'

I forgot to include in my post to run ifup wan6 after making the change. At least confirm with ifstatus wan6 that the ISP DNS servers are in the inactive portion of the output before going much deeper on the hijacking theory.

and for the 4th time, what DNS IPs are you clients listing ...

I have run the ifup wan6 command and the proceeded to run ifstatus wan6, here is the output I got:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 43,
        "l3_device": "pppoe-wan",
        "proto": "dhcpv6",
        "device": "pppoe-wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": false,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a02:8011:d017:38dd::1",
                        "mask": 64,
                        "preferred": 604786,
                        "valid": 2591986
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a02:8012:3b68::",
                        "mask": 48,
                        "preferred": 86357,
                        "valid": 86357,
                        "class": "wan6",
                        "assigned": {

                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::5ae4:34ff:fe2f:1faf",
                        "metric": 512,
                        "valid": 1786,
                        "source": "::/0"
                }
        ],
        "dns-server": [
                "2620:fe::fe",
                "2620:fe::9"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2a02:8010:6:0:212:23:3:100",
                        "2a02:8010:6:0:212:23:6:100"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202a0280100006000002120023000301002a028010000600000212002300060100"
        }
}

When querying Windows on one of my hosts it seems to list the following DNS servers:

Both being the IP and IPv6 addresses of the router.

so that's correct.

Yes. It seems so.