Confirm custom DNS settings

I am concerned about complicated directions for setting custom DNS that I have read involving DHCP, firewall, routing, etc.

I have a simple network with a main router and a wired/wireless "dumb access" point. Both devices are Cudy WR3000S running OpenWrt 24.10. They have the same SSID and security key. Everything seems to be working fine.

Would someone please confirm that the following is all that one must do to set custom DNS or tell me what I am missing?

On the main router:

• lan interface, advanced settings, use custom DNS server, enter IP address of custom DNS server
• wan interface, advanced settings, use custom DNS server, enter IP address of custom DNS server
• wan interface, advanced settings, disable "Use DNS servers advertised by peer"

On the dumb AP:

• lan interface, advanced settings, use custom DNS server, enter IP address of the main router

How can I verify that the custom DNS server is being used?

Many thanks for your help!

do not touch it at all

google for dns leak test

Thanks, AndrewZ. I removed the custom DNS server from the main router's lan interface.

Mullvad's connection check reports DNS leaks. It also reports three IP address that my DNS queries originate from. Two of them are at the ISP. I do not recognize the third one.

But I have custom DNS set to 9.9.9.9, so my ISP should not see my DNS queries.

What's wrong?

Check your system log for lines similar to these:

Wed Apr 30 19:19:46 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Apr 30 19:19:46 2025 daemon.info dnsmasq[1]: using nameserver x.x.x.x#53
Wed Apr 30 19:19:46 2025 daemon.info dnsmasq[1]: using nameserver y.y.y.y#53

Enable query logging in DHCP configuration then run a single query and see what is in the log.

Sun May  4 10:15:21 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Sun May  4 10:15:21 2025 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Sun May  4 10:15:21 2025 daemon.info dnsmasq[1]: using nameserver 2607:fdc8:c::2#53
Sun May  4 10:15:21 2025 daemon.info dnsmasq[1]: using nameserver 2607:fdc8:c::3#53

So there seems to be evidence that 9.9.9.9 is being used.

After I set queries to be logged, the log shows DNS requests being forwarded to a MAC address, not an IP address. So I cannot tell where they are going.

What do you think this means?

Can we see this please?

that belongs to AS30036 Mediacom Communications Corp
Is this your ISP?

Some queries show only MAC addresses:

Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 209 192.168.1.100/50796 query[AAAA] mullvad.net from 192.168.1.100
Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 209 192.168.1.100/50796 forwarded mullvad.net to 2607:fdc8:c::3
Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 210 192.168.1.100/63604 query[A] ipv4.am.i.mullvad.net from 192.168.1.100
Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 210 192.168.1.100/63604 forwarded ipv4.am.i.mullvad.net to 2607:fdc8:c::3
Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 210 192.168.1.100/63604 reply ipv4.am.i.mullvad.net is 45.83.223.233
Sun May  4 11:58:00 2025 daemon.info dnsmasq[1]: 209 192.168.1.100/50796 reply mullvad.net is NODATA-IPv6

Some queries show 9.9.9.9 and MAC addresses:

Sun May  4 11:58:12 2025 daemon.info dnsmasq[1]: 211 192.168.1.100/53828 query[PTR] lb._dns-sd._udp.0.1.168.192.in-addr.arpa from 192.168.1.100
Sun May  4 11:58:12 2025 daemon.info dnsmasq[1]: 211 192.168.1.100/53828 forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 9.9.9.9
Sun May  4 11:58:12 2025 daemon.info dnsmasq[1]: 211 192.168.1.100/53828 forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 2607:fdc8:c::2
Sun May  4 11:58:12 2025 daemon.info dnsmasq[1]: 211 192.168.1.100/53828 forwarded lb._dns-sd._udp.0.1.168.192.in-addr.arpa to 2607:fdc8:c::3

Yes. Why do some queries show both 9.9.9.9 and my ISP? Why is my ISP here at all?

There are no MAC addresses there. Some queries are forwarded to IPv6 addresses. You may need to ignore assigned DNS servers separately on WAN6 interface or configure Quad9's IPv6 DNS addresses there.

Oh. Thank you. Good that you asked to see the log entries. You are very helpful.

Do you recommend one approach or the other or both? Or is this more trial and error?

How about disabling "Use DNS servers advertised by peer" on wan6?

Since you're in dual-stack environment with both IPv4 and IPv6 connectivity available, I would probably suggest to configure both WAN and WAN6 in a similar way - ignore advertised, statically configure v4 and v6 addresses of Quad9 or another service of choice.

Is disabling the wan6 interface a good option?

Absolutely not. But if you're not familiar with IPv6 yet, then you should probably not use it in LAN - disable DHCPv6, don't delegate prefix to LAN, etc.

Disable local IPv6 DNS server?

Which setting to use for RA service on IPv6?

You need to disable both RA-Service and DHCPv6-Service.

Where is the SLAAC setting?

We seem to be making progress. Or we have achieved success:

Sun May  4 12:27:18 2025 daemon.info dnsmasq[1]: 3584 192.168.1.100/65270 forwarded forum.openwrt.org to 9.9.9.9
Sun May  4 12:27:18 2025 daemon.info dnsmasq[1]: 3584 192.168.1.100/65270 forwarded forum.openwrt.org to 149.112.112.112
Sun May  4 12:27:18 2025 daemon.info dnsmasq[1]: 3584 192.168.1.100/65270 forwarded forum.openwrt.org to 2620:fe::fe
Sun May  4 12:27:18 2025 daemon.info dnsmasq[1]: 3584 192.168.1.100/65270 forwarded forum.openwrt.org to 2620:fe::9

This look-up uses Quad9's two IP4 addresses and its two IP6 addresses. Beautiful.

I just cannot find a setting for SLAAC anywhere.

No worries - it's not available once RA-Service is disabled.

Andrew, I cannot thank you enough. You've given me immediate, personalized service that solved my problem. Absolutely wonderful. Thank you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.