Custom DNS server not working (DNS forwarding)

I have tried multiple fixes that were mentioned in other threads. But non of them have worked.

I am trying to use my custom DNS server, located in the DMZ network.

Every other network their DNS requests should be send to the custom DNS server. This will be LAN and DMZ.

I have added the custom DNS server to the DHCP server (this works! But I also want to make openwrt forward all DNS requests to my DNS server.)

On my WAN interface (ipv4, I don't have ipv6):

  • I have disabled "Use DNS servers advertised by peer"
  • I entered my custom DNS server as: Custom DNS servers: "192.168.22.26"

On my DHCP / DNS config, I have added DNS forwardings:

  • 192.168.22.26

network config:

config globals 'globals'
        option ula_prefix 'fd0f:7b8e:7244::/48'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'
        list dns '192.168.22.26'
        option peerdns '0'

config interface 'DMZ'
        option ifname 'eth0.3'
        option proto 'static'
        option netmask '255.255.255.128'
        option delegate '0'
        option ipaddr '192.168.22.1'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '70:4f:57:b2:6a:85'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4t 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 4t'

config interface 'Wireguard'
................

dhcp config:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option dns '192.168.22.26'
        list server '192.168.22.26'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dns '192.168.22.26'
        list domain 'hedium.local'
        list dhcp_option '6,192.168.22.26'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'DMZ'
        option interface 'DMZ'
        option leasetime '30m'
        option start '100'
        option limit '20'
        list dhcp_option '6,192.168.22.26'
1 Like

If this works, what isn't, specifically....?

It’s unclear what exactly the issue is. If you want to block other dns then add firewall rules to drop requests to port 53 on the wan.

I want to have openwrt forward incoming dns requests to the DNS server.

So, when non DHCP clients still use 192.168.1.1 as their DNS, I don't want it to be forwarded to my ISP's DNS, but to my own DNS.

Should be under DMZ interface, not wan.
Then it is not necessary to declare it again in the config dnsmasq section.
Other than that the solution is fine.

I have tried this, but it did not fix my issue.

Config:

config globals 'globals'
        option ula_prefix 'fd0f:7b1e:7424::/48'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'
        option peerdns '0'

config interface 'DMZ'
        option ifname 'eth0.3'
        option proto 'static'
        option netmask '255.255.255.128'
        option delegate '0'
        option ipaddr '192.168.22.1'
        list dns '192.168.22.26'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '70:4f:57:b2:6a:85'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4t 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 4t'

config interface 'Wireguard'
.....

Correct me if I have understood it wrong. As you mentioned here OpenWrt must forward the queries from clients to the nameserver in DMZ.
Is there evidence that this is not the case?

Ah sorry, I should have provided some more information.

When I do an NS lookup from a client pc:

nslookup ns.hedium.local 192.168.1.1
** server can't find ns.hedium.local: NXDOMAIN
nslookup openwrt.org 192.168.1.1
Name:	openwrt.org
Address: 139.59.209.225
nslookup ns.hedium.local 192.168.22.26
Name:	ns.hedium.local
Address: 192.168.22.26

So the DNS server does know the domain, but when I ask openwrt it doesn't send the request to the DNS server.

The DNS server does not receive any requests from Openwrt and it does receive the requests directly from the previous nslookup.

Monitored traffic using:

sudo tcpdump -i any udp port 53

the output clearly lists the direct requests, but doesn't show any requests from Openwrt. (Hidden because it shows a lot of other junk)

Do this and you'll get your answer:
service dnsmasq restart ; logread -e dnsmasq | grep "domain local"

log output:

Fri Oct  8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain localhost
Fri Oct  8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain local
Fri Oct  8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain localhost
Fri Oct  8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain local

Also, on restarting dnsmasq I get:

udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

nslookup still cant find the domain.

Irrelevant.

Did you read the log output?

yes, I have removed the grep to get a bit more output.

It does mention

Fri Oct  8 11:16:59 2021 daemon.info dnsmasq[5598]: using nameserver 192.168.22.26#53

(I still had the extra line in dnsmasq for dns forwarding, but removing that didn't change much)

full output after a restart:

Fri Oct  8 11:25:16 2021 daemon.info dnsmasq[5803]: exiting on receipt of SIGTERM
Fri Oct  8 11:25:16 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Fri Oct  8 11:25:16 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: started, version 2.80 cachesize 150
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: DNS service limited to local subnets
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: DHCP, IP range 192.168.22.100 -- 192.168.22.119, lease time 30m
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain test
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain onion
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain localhost
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain local
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain invalid
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain bind
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain lan
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: reading /tmp/resolv.conf.auto
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain test
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain onion
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain localhost
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain local
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain invalid
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain bind
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain lan
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: using nameserver 192.168.22.26#53
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: read /etc/hosts - 4 addresses
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq[6196]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri Oct  8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: read /etc/ethers - 0 addresses

You didn't need to, the answer is in the logs.

1 Like
3 Likes

For anyone having this same problem, here is the config that works:

  • Add your custom DNS server to the interface that servers in on. For me, my server is located in my DMZ network, so I added the custom DNS server to my DMZ interface.
  • Disable the WAN DNS servers by disabling Use DNS servers advertised by peer (WAN Interface > Advanced) (If you have IPv6, do this to both interfaces)

Optional:

  • Add your domain name under the Domain whitelist option. I had to do this, but it might not be necessary for every domain. (I use a weird domain name not a .com / .eu enz.) (Located under DHCP and DNS > General)

Of to the races! Make sure you allow DNS requests in the firewall and you should be good to go!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.