Different DNS servers for LAN and isolated guest wifi

How can i do to resolve lan and wlan with Adguard Home in router, and, isolated guest wifi with a pihole connected through ethernet?

I configured Adguard to serve port 53 and changed dnsmasq to 5353, LAN is, pihole is and guest network is

Use option 6 in dhcp options for the guest network to advertise the pihole. Use dns hijacking to catch anything that doesn't use the pihole.

Thanks @trendy !
I started from scratch, changed main lan to, created guest lan on, disabled ipv6, installed Adguard Home and changed it to port 53, changed dnsmasq to 5353, created traffic rules for guest dns & dhcp and port forward rules for lan and guest.
On lan i put on -Use custom DNS servers- & 6, on -DHCP-Option-.
On guest i put on -Use custom DNS servers- & 6, on -DHCP-Option-.
Everything is OK with lan and wlan, but, devices get Ip address but no internet access when connect to guest.
Fixed this error on dnsmasq: -failed to load names from /tmp/hosts/dhcp.cfg01411c: Permission denied- but still no internet.

This is wrong. You should not use OpenWrt itself as an upstream nameserver. You should use the 10.10 address of Pihole. Regarding the dhcp option 6 it is not necessary because if you don't fill it in, it will automatically advertise itself to the dhcp clients as dns.

You don't need it in guest interface, only on lan interface, where it is reachable from.

Verify the IP/mask/gw/dns -> ipconfig /all in windows ip add;ip ro;cat /etc/resolv.conf in linux
Do a ping test ping google.com; ping

Thanks again @trendy !
After hours trying i got internet by using port forward rules and custom rules, now all devices can connect, the thing now is, private lan and wlan have no problem, they are served by adguard on router and the dns is forced so devices cannot change their dns, but, guest wifi goes through the raspberry pi as intended getting the dns i set without any relation to private lan apparently, the problem is that on the leaktests appears google dns mixed up, and the only device with that dns is the isp modem, i was thinking on disabling dhcp on the modem, what do you think?

I have no clue. It depends on the upstream dns in Pihole as well.

I changed ISP Modem dns to cloudfare, this was the only device that had google dns, raspberry pi upstream is cloudfare and upstream for adguard home on this raspberry pi is opendns, the adguard on router has quad9 as upstream, so none of them have google dns, where should i look? because im still getting google dns showing on the leaktests.
I even checked with winscp every file conf and dnssmasq and there is no google dns reference in any.

GoogleDNS is often hardcoded in some Android/Google products. Not much you can do there, except hijacking.
You can try to isolate the device which queries GoogleDNS: opkg update; opkg install tcpdump; tcpdump -i any -evn 'port 53 and (host or host'

1 Like

you test via recent browser version of FF/Chrome?
because they by default using 'secure DNS' , i.e. DNS over HTTPS to well-known DNS provider cloudflare, google, regardless your desktop is using the DNS server (pihole or adguard) offered via DHCP.

and a few months later... the google or cloudfare leak problem showing can be solved blocking doh servers with BanIP

this method has worked for me after a fresh install only using banIP, but somehow if you install other stuff (like adguard home) and configure further then the DOH blocking dont work anymore, whats the permanent and final way to block DOH?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.