Should be under DMZ interface, not wan.
Then it is not necessary to declare it again in the config dnsmasq section.
Other than that the solution is fine.
Correct me if I have understood it wrong. As you mentioned here OpenWrt must forward the queries from clients to the nameserver in DMZ.
Is there evidence that this is not the case?
Fri Oct 8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain localhost
Fri Oct 8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain local
Fri Oct 8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain localhost
Fri Oct 8 11:16:59 2021 daemon.info dnsmasq[5598]: using local addresses only for domain local
Also, on restarting dnsmasq I get:
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
yes, I have removed the grep to get a bit more output.
It does mention
Fri Oct 8 11:16:59 2021 daemon.info dnsmasq[5598]: using nameserver 192.168.22.26#53
(I still had the extra line in dnsmasq for dns forwarding, but removing that didn't change much)
full output after a restart:
Fri Oct 8 11:25:16 2021 daemon.info dnsmasq[5803]: exiting on receipt of SIGTERM
Fri Oct 8 11:25:16 2021 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Fri Oct 8 11:25:16 2021 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: started, version 2.80 cachesize 150
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: DNS service limited to local subnets
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: DHCP, IP range 192.168.22.100 -- 192.168.22.119, lease time 30m
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain test
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain onion
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain localhost
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain local
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain invalid
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain bind
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain lan
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: reading /tmp/resolv.conf.auto
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain test
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain onion
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain localhost
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain local
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain invalid
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain bind
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using local addresses only for domain lan
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: using nameserver 192.168.22.26#53
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: read /etc/hosts - 4 addresses
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq[6196]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri Oct 8 11:25:22 2021 daemon.info dnsmasq-dhcp[6196]: read /etc/ethers - 0 addresses
For anyone having this same problem, here is the config that works:
Add your custom DNS server to the interface that servers in on. For me, my server is located in my DMZ network, so I added the custom DNS server to my DMZ interface.
Disable the WAN DNS servers by disabling Use DNS servers advertised by peer (WAN Interface > Advanced) (If you have IPv6, do this to both interfaces)
Optional:
Add your domain name under the Domain whitelist option. I had to do this, but it might not be necessary for every domain. (I use a weird domain name not a .com / .eu enz.) (Located under DHCP and DNS > General)
Of to the races! Make sure you allow DNS requests in the firewall and you should be good to go!