Different DoH DNS for LAN and Guest

For my home router project I would like to run luci-dns-https-proxy to DoH my DNS calls for my main LAN while hijacking DNS on that interface to ensure all DNS calls use that service.

I would like to run different dns on my guest network while hijacking dns on that interface. Preferably I would like to run DoH there as well but I’m not sure that’s technically possible.

I am set up basically stock with the following changes:
-I run sqm.
-I ran the wiki instructions for both guest via luck and hijacking via cli.
-I used dhcp option 6 on my guest in the past and sent the different resolvers to the clients.
-ipv6 is active out of the box on my main LAN with the stock setup but is not set up on guest because the wiki instructions do not provide for that. I wouldn’t mind having it work there as well.

After hijacking dns on my main interface it seems to have hijacked all dns on the guest interface as well. Perhaps some firewall tweaking could fix this but I’m very inept without instructions.

Basically I want to control all DNS calls on both networks, use secure transport (if possible), and use different public resolvers on each. I want to force DNS on both to use the resolvers I chose.

Anyone know a good way to do this? Thanks in advance.


I do this (though, with DoT) with dnsmasq+stubby and dnsmasq+unbound. You can find my config here: Configure different dns for lans


The first link I have followed for my initial setup. The second link might do the trick but it might be over my head. I will look it over for sure. Thanks for bringing it to my attention. In the mean time, isn’t there a way in my above listed description to simply allow a clients dns selection, while on the guest network, to bypass the main network hijack? Perhaps a simple firewall rule? That would be a quick patch until I can learn enough to be comfortable attempting the config in your second link. Thanks again for your great info and speed in replies.

1 Like

I’m really kind of partial to doing the DoH thing right now because I am not advanced in this stuff and I can use the dns proxy on LuCi to easily change resolvers and play around. I like to stay as close to stock and use luci whenever possible. I will certainly learn from your post and your setup though when I have more time. Thanks for pointing it out!

DNS hijacking is basically a firewall rule for a specific source zone.
You need to apply it selectively only to the zones where you want it to work.
Providing DNS with DHCP options becomes ineffective if you use DNS hijacking in the same zone.

I would like to set things up so that I have a guest network and both the main and guest use a different DoH (via DNS HTTPS Proxy) where all clients are forced to use those resolvers (ie hijacking). That's my first choice of setup. Second would be to use DoH and hijacking on the main only and use DHCP option 6 on the Guest. Are neither of these possible. You may have answered already and I'm just not understanding. Thanks for your patience.

Set up 2 dnsmasq instances as mentioned above.
Each dnsmasq instance will manage it's own zone separately forwarding DNS queries to different instances of DoH resolver.

This is also possible.

Decide which way you want to go and follow the wiki.
If you still have issues, then post the configs:

uci show network; uci show firewall; uci show dhcp