DNS forward not working?

There's something going on with the DNS forwarding.
My ISP's DNS doesn't work for some websites so I tend to use OpenDNS's and Google's DNS servers. If I try to use my ISP's DNS servers I get a webpage from my ISP stating that it cannot resolve the names.
But ever since I've reinstalled OpenWRT and reconfigured from scratch, this hasn't been working.
Or rater, it works only for a minute every time I reboot the router and then apparently it starts using my ISP's DNS servers because I start getting the ISP webpage saying it cannot resolve.
I have also tried to keep my PC receiving IP address through the router's DHCP server and setting the DNS servers by hand, and this way those websites work just fine.
Any ideas on what I could be doing wrong?
Thanks in advance.

Have you configured your WAN interface to ignore the DNSs announced by your ISP?
Could your ISP be hijacking the DNS requests?


Hi @eduperez , thanks for your reply.
Indeed, I didn't have the WAN interface setup to ignore the DNS's announced by my ISP.
I've set it to ignore, setup OpenDNS/Google servers and it's working.
But now I have a question: which page sets the DNS server?
The Networks > Interfaces > Wan > Advanced Settings > Use DNS servers advertised by peer?
Or the Network > DHCP & DNS > DNS forwardings?
I'm a bit confused with both options...
I only had setup the latter and it wasn't working. Now I have both and it's working.

1 Like

You have two options:

  • Unstick "Use DNS servers advertised by peer" & type dns server ip in WAN interface.
  • type dns server in "DNS forwardings" & stick "Ignore resolve file".
    Both ways will same result.
1 Like

I see.
Any reason why this would be duplicated? I mean, this is duplication, right?

And repeat for WAN6 interface.

1 Like

In my particular case, my ISP still doesn't support IPv6 :frowning:
But thanks for pointing that out.

Better do it to make sure the configuration will not change if/when your ISP enables IPv6.

1 Like

No, it's not a duplicate:

  • The system DNS servers are set in System
  • The WAN interface's DNS servers are set in WAN

I'm able to add my IPv6 DNS servers to my WAN Interface. OpenWrt is smart enough to use the available IPv6 interface to make those requests.

1 Like

Oh. Ok.
Then you will excuse my ignorance but what exactly is the difference between system DNS and Wan interface DNS?
Let me try to explain this from a newcomer's point of view. I had configured the WAN port for DHCP and it was receiving DNS server addresses for the Wan interface.
Then I had setup the system DNS servers (DNS Forwarders, right?) with OpenDNS and Google.
My laptop, tablets and smartphones would pick up IP address using DHCP from the OpenWRT router and by such, their DNS server was set to the router's IP address.
Now, why would the clients (laptop, etc) make a name query and get the name resolved by the router using the ISP's Wan Interface DNS server instead of the system DNS server?
I would expect the router to resolve names for the clients using the system DNS servers, right? Because that's what makes sense to me...

You mean you have IPv6 DNS servers setup both on your Wan and Wan6 interfaces? Using IPv6 addresses? Even on the Wan interface (IPv4)?
Can you please detail this please?
Nevertheless, since my ISP doesn't support IPv6, what exactly would I gain from doing something similar to what you are doing in this case?
Thanks in advance.

  • System DNS: what OpenWrt's Kernel uses
  • WAN DNS: what the WAN interface uses

Because you configured WAN DNS servers.

No, I have IPv6 DNS servers setup on my IPv4 WAN only.

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	option dns '74.xxx.xxx.xxx 198.xxx.xxx.xxx 156.xxx.xxx.xxx 44.xxx.xxx.3xxx2001:470:xxxx::xxxx 2001:468:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 2610:xxxx:xxxx::xxxx'

As I noted, it works. I have an HE tunnel, and otherwise could not specify the DNS servers, I used WAN - and it worked!

I've never configured "System DNS servers," I only have DNS servers specified in my WAN Interface, or I hand out other servers via DHCP.

1 Like

DNS-forwarding is a feature of Dnsmasq and it's designed to delegate resolver role to external DNS-servers.
Especially when you need to use different DNS-servers for different DNS-requests.
For instance you want to resolve only your company services through the corporate DNS-server and nothing else.
In most cases there's no point to use it.

Well...technically I didn't. They were automatically setup by my ISP's DHCP server.

I know at least 3 places where to setup DNS servers:

  • (1) Network > DHCP and Network > DNS Forwardings
  • (2) WAN port
  • (3) LAN port

Are there any other places where one can setup DNS resolvers?
My clients all live in my LAN/WiFi bridge. So, if there was no (1) I would guess that all DNS requests would be resolved by the DNS servers setup on (3). Except if the client had fixed DNS entried configured.
For all I know, (2) would be used in case router's console diagnostics (ping/traceroute) and I honestly don't see what (1) would be needed for...

I feel like I need a crash course on OpenWRT's DNS configuration.

Configuration should be built based on your goals.
You could configure resolv.conf directly, or use iptables to redirect DNS-traffic, or just push custom DNS-settings to the clients with DHCP-option.
There are multiple methods, and depending on the goal some of them would be more or less reasonable and preferable.

Well, very interesting question.
I think cause you forget stick "ignore resolve file" options.
When you configured the WAN port for DHCP and setup DNS servers forwarder:

  • First, the system will receive dns address server from ISP & update to resolv.conf file.
  • Second, if "ignore resolve file" is sticked, system will ignore resolv.conf file and using dns server as you set.
    The system always priority using resolv file before dnsmasq conf for dns resolution.

I don't understand why your having so many issues. Just keep the default settings (reset to defaults if you need to)

The only change you need to make for DNS is in the Luci->Network->Interface->WAN->Advanced Settings.

Note: you can add more than one custom DNS server


Exactly @mbo2o !

Anecdotally, I've found this to be the most effective way to use non ISP assigned DNS servers.

Utilizing 2x DNS servers under:

  • Network >Interfaces >under WAN (click edit) >Advanced Settings >Use DNS servers advertised by peer (un-tick) >Use custom DNS servers

If I have a specific device(s) requiring the further need for an alternative DNS server(s), I've used iptables listed under...

  • Network >Firewall > Custom Rules >Firewall - Custom Rules

Input your device(s) MAC, DNS and Router IP address (omitting < and >)...

iptables -t nat -N DNSFILTER
iptables -t nat -I prerouting_lan_rule -p tcp -m tcp --dport 53 -j DNSFILTER
iptables -t nat -I prerouting_lan_rule -p udp -m udp --dport 53 -j DNSFILTER

# Device1
iptables -t nat -A DNSFILTER -m mac --mac-source <device_MAC_address> -j DNAT --to-destination <DNS1_IP_address>
# Device2
iptables -t nat -A DNSFILTER -m mac --mac-source <device_MAC_address> -j DNAT --to-destination <DNS2_IP_address>
# Device3
iptables -t nat -A DNSFILTER -m mac --mac-source <device_MAC_address> -j DNAT --to-destination <DNS3_IP_address>

iptables -t nat -A DNSFILTER -j DNAT --to-destination <OpenWrt_router_IP_address>

Using iptables seems to take precedence over the WAN assigned DNS addresses.

For the iptables to work effectively, I've also had to disable the LAN DHCPv6-Service...

  • Network >Interfaces >under LAN (click edit) >DHCP Server section >IPv6 Settings >DHCPv6-Service (set disabled)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.