- how could I setup such hostnames with OpenWRT?

I own a subdomain with letsencrypt certificate.
I have four goals:

  1. address all devices with
  2. have some docker container on my NAS addressed like
  3. copy the lets encrypt SSL to NAS, so I could access docker apps over ssl
  4. If my android use WireGuard VPN hostnames should also work

I'm not sure If I could reach all goals, but the third goal is the most important because some docker web apps not work without ssl (seems a browser restriction)
I'm not able to modify DNS of my subdomains.
My knowledge about DNS is beginner level. Until now, I had an OpenWRT router, and it worked. Until now I addressed all devices by IP.

Could someone guide me through the needed settings?

You do not own domeain , IANA kind of states so.

No. I share the domain with somone I know, he let me use it for my own Nextcloud. Since I have Wireguard on my android and a Synology NAS with docker I realized that I do not need a Nextcloud on internet. I wish to move my Nextcloud onto my NAS and cut the Internet connection. My docker services should only be reached over Wireguard VPN.

tell dnsmasq to send all queries to your local DNS server, using the server= option, map all clients to FQDNs.

1 Like

that sounds easy. Could you tell me please step by step what to setup?
currently I had in Network - DHCP and DNS - General:

  1. Resolve these locally all devices /
  2. Address severel entries like /

but still every ping on goes to the original page.

On openwrt I use the app adblock and checked it's settings may that help?

DNS-Backend: kresd (-), /etc/kresd
Run-Interfaces: trigger: -, report: br-lan
  1. not sure you can use an FQDN for the DNS, might have to be an IP.
    and unless you want to specify a DNS for each and every device. you should
    probably use or perhaps

make sure your host actually uses your DNS.

1 Like

Ubuntu is setup and also in firefox settings I changed to local DNS.
For test in Ubuntu on Gnome-terminal I run

sudo killall -HUP dnsmasq
sudo resolvectl flush-caches

should probably verify using nslookup.

already did nslookup shows the public IP.

I even add to /etc/hosts
nslookup shows still the public IP

the interesting part is, who (which DNS IP) gets queried.

where ?
client or router ?

this on router. Goal is that I do not have to edit /etc/hosts on client.

if I ssh into router:

  • nslookup shows the public IP
  • ping shows the internal IP
  • traceroute shows the internal IP
  • ping shows the Public IP

on client all four ways shows only the public IP.

uci add_list dhcp.@dnsmasq[0].address='/'
uci commit dhcp
service dnsmasq restart
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].name='DNS-Hijack'
uci commit firewall
/etc/init.d/firewall restart

WTF, I was getting there :slight_smile:


Sorry, I'll keep my big mouth shut next time...


thanks for your try @pavelgl but that did not work.
I already have several entries in

uci add_list dhcp.@dnsmasq[0].address='/'

the firewall redirect was new but also did not change anything.

Have you tried setting the domain setting here:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/'
	option localservice '1'
	option ednspacket_max '1232'

The lookups should work If the domain line is changed to:

	option domain ''

(this would be for normal dnsmasq, anyway)

I'm asking for the 3rd time, have you verified your clients actually use your DNS ?

@frollic @psherman I don't use net/adblock, but doesn't this output indicate that OP is using kresd, not dnsmasq for resolution?

1 Like