Correct Way to Set DNS Server

Hi

I have setup a DDNS with DNS-O-MATIC using the DDNS LuCI app. I then set the DNS to the OpenDNS DNS servers, you login into your dashboard and you can do domain blocking and content filtering.

To cut a long story short I would like all my traffic to use the OpenDNS DNS's and I would like to stop any clients from overriding the DNS with a custom one like Google's (8.8.8.8).

My question is where do I actually set the DNS? There's three places I can think of:-

Network > Interfaces > WAN > Common Configuration > Advanced Settings > Use custom DNS servers

Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options

Network > DHCP and DNS > Server Settings > DNS forwardings

Many thanks

Will

Step 1

On WAN:

Then...

Step 2: https://openwrt.org/docs/guide-user/dns-request-hijacking

Step 2 ensures that clients with built-in or statically-assigned DNS servers (e.g. Google DNS on Android devices) - use the router.

You can use this method if you want Dnsmasq to be your primary DNS-server.
Dnsmasq will forward DNS-queries to custom DNS-servers.
It applies to both LAN-clients and local system by default.
It should be sufficient for most users.

This method is useful if you want to remove DNS-server role from Dnsmasq.
It applies only to LAN-clients.

This method is often used to provide DNS over HTTPS/TLS via Dnsmasq and dnscrypt-proxy/Stubby/Unbound.
It applies only to LAN-clients by default.

Is that even possible without making such restriction in the clients themselves?

You can either intercept or block forwarded DNS-queries.
For example, see Step 2 the post above by @lleachii.

Oh yes, it's right there!

Okay I've added the OpenDNS servers to the WAN

I then overridden the DNS on Windows 10 to Google's DNS server

On OpenDNS Dashboard I have blocked cheese.com

OpenDNS Dashboard.png1284×964 73.5 KB

Why are you doing it?
Revert to automatic configuration via DHCP.

I'm trying to block use of any other DNS server. If I bypass the OpenDNS server set on the router using another DNS server on the client It defeats the objective of using OpenDNS' content filtering.

It has already been mentioned above twice.
Read the thread carefully.

Well I made a firewall rule and then I was unable to connect to any website. I've had to revert back at the moment as people are using the internet.

Then you need to perform the troubleshooting:

uci show firewall
iptables-save -t nat
netstat -l -n -p | grep -e :53 -e dnsmasq

That may not work in all cases, That rule only covers UDP port 53 and DNS will sometimes use TCP.

Is it possible to get one of moderators to change that to either "ANY" protocol or at the very least set it at "TCP + UDP"

link to page I looked at:
https://openwrt.org/docs/guide-user/dns-request-hijacking

I run 2 DNS serrvers locally and have firewall rules setup in Luci firewall settings.

# Force my DNS servers
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.13:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.13:53

iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.13 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.13 --dport 53 -j ACCEPT

#End iptable rules

I also have rules to block google's IPv4 and IPv6 DNS servers that I created in Luci Traffic Rules.

These rules in Luci Firewall also seem to work for one local DNS server but I do not use them anymore, Can't remember why

iptables -t nat -A PREROUTING -i br-lan -p udp ! --source 192.168.200.11 ! --destination 192.168.200.11 --dport 53 -j DNAT --to 192.168.200.11
iptables -t nat -A PREROUTING -i br-lan -p tcp ! --source 192.168.200.11 ! --destination 192.168.200.11 --dport 53 -j DNAT --to 192.168.200.11

@sml156, FYI OpenWrt discourages:

• Operating raw iptables commands unless it's really necessary.
• Ignoring pre-configured firewall chains.
• Using physical interface names.

Did not know that, I will have to search the forum unless you know a link that can read about it.

Thank's I may be figuring out another way to solve the problem this weekend, I have a couple of devices that don't respect my DHCP servers wishes with "option6".

Do you have devices on your network that have UDP blocked?
Simply make a TCP rule as well. Good catch!

You would add a DHCP Option 6 in the LuCI web GUI:

Screenshot%20from%202018-09-26%2010-48-36884×90 6.13 KB

You can also give a specific DHCP reply to the particular client...

I actually know about Openwrt and it's option 6 box and I believe your second example is called tagging.

For over a year now I have been disabling Openwrt's DHCP server and using 2 Pihole"s, each running DHCP and DNS.

I just got a new Samsung S8 phone before Christmas and noticed in my logs that even though I had setup option6 on the DHCP server's to point to my PiHoles it would bypass them and go strait to Google's DNS servers every other device would use what I told it to.

This is a new feature that newer Android devices have started (for me) since Android 8 Oreo and the only cure I have found is to block Google's IPv4 and IPv6 DNS servers, This forces my phone to use my server and the iptable rules help which I might change over the weekend for a more approved method.

More and more devices in the future are going to hard code in their own preferred DNS servers.

I applaud Google for making the internet a bit easier for the masses but I wish they included a way to disable it for fringe cases like me, I have no idea what corporation's do who have strict rules about logging and what sites people are aloud to visit.

About pihole if you have never heard about it.

I doubt this. IPs are not a permanent fixture. Hard coding in Android's case is actually pretty bad.

I don't see how that's easy. This means those devices won't resolve local hostnames from the OpenWrt.

Well, that's your issue - you completely disabled it.

Enabling your OpenWrt's Dnsmasq and adding the DNS HIjack firewall rule(s) should fix the problem of your clients using their own static DNS server.

adblock has a tick box for that.... for users who are GUI inclined... it's "lan" zone only... but you could diff to get the rules

Force Local DNS
 
Redirect all DNS queries from 'lan' zone to the local resolver, apply to udp and tcp protocol on ports 53, 853 and 5353.

opkg update; opkg install adblock luci-app-adblock diffutils;
iptables-save > /tmp/prednsredir;
echo "go and tick option";
iptables-save > /tmp/postdnsredir;
diff /tmp/prednsredir /tmp/postdnsredir

At the moment I'm back on my stock Linksys WRT1900AC firmware after I realised my ISP DNS servers weren't working on my own compiled OpenWRT build. I first tried my ISP router and everything worked so I then checked the stock firmware for my router and that seems to be working. As soon as I'm the only one on the internet I'm going to flash a stable 18.06.2 build and see if I can get the ISP DNS servers working, because that me a reason why my firewall ports weren't behaving. If no luck I will try

uci show firewall
iptables-save -t nat
netstat -l -n -p | grep -e :53 -e dnsmasq

as vgaetera mentioned.

However, I did notice that with the the box 'Use DNS servers advertised by peer' checked and setting DHCP-option 6 to '6,208.67.220.220,208.67.222.222' actually established connections.

Also in regards to the hard encoded Google DNS servers, I can confirm that under the advanced options there is default options in the DNS server boxes.

Screenshot_2019-03-27-08-10-25.png1440×2880 194 KB