DNS not redirecting correctly

JonSnow · July 24, 2025, 2:58am

I have multiple VLANs and have adguard installed on a separate server. All of the VLANs are using DHCP 6 pointing to adguard and this works for the most part.

However, I'm still seeing 8% of the queries in adguard coming from the routers IP address, when looking at the queries they look to be from devices across different VLANs.

So it seems the router is still acting as a DNS and redirecting the queries, what can I check to stop this behavior?

Interface > Lan > DHCP Server > Advanced Settings > DHCP-Option > I have 6, 192.x.x.x
Interface > Lan > Advanced Setting > Custom DNS > I have 192.x.x.x

lleachii · July 24, 2025, 9:12am

Because of this setting:

Only set on WAN
Verify it's not link local IPv6 requests reaching the route

You meant "DHCP Option No. 6" - correct?

JonSnow · July 25, 2025, 2:31am

Okay I removed the Custom DNS under LAN interface, where do I set this in WAN interface? I remember seeing that as an option but can't find it now. Left it as default so it probably still getting WAN DNS from my ISP.

There is an option than is called DHCP-Option, in the textbox i have 6, 192.x.x.x which is the IP of adguard.

lleachii · July 25, 2025, 3:23am

Yes, this is DHCP OptionNo. 6, where DHCP is configured to give your AdGuard server as DNS

Same place under the WAN interface. There's a checkbox to not use your ISP's DNS servers, then the field to enter Custom DNS servers will appear.

Lastly:

I assume you plan to set the AdGuard, correct?
Do you still see the traffic in question?

JonSnow · July 25, 2025, 3:50am

I never understood why the WAN DNS should be changed when I'm already using DHCP-Option 6, can you explain? and is it safe to use a local address such as 192.x.x.x for this?

Yes, it does look like traffic from the router has stopped in the adguard queries after the removal from custom dns.

lleachii · July 25, 2025, 3:58am

For any lookups originated by your router.

Yes, the traffic goes from your router to the DNS server (i.e., the DNS query and reply), just like any other local DNS packets. All other usual steps are performed by the AdGuard server performing the lookup as you're configured it.

Wonderful!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

frollic · July 25, 2025, 4:07am

Should <> could.
You don't always want to send the router generated queries to the default (provided via WAN port DHCP request) upstream DNS server.

JonSnow · July 26, 2025, 1:06am

I'm marking this as unsolved, I noticed as soon as I set the adguard IP address on the WAN Custom DNS I'm now see queries from the router again. I guess that makes sense if devices are still using the router as a DNS.

What I don't get is why the router is still being used even if I have set dhcp-option 6? Everything should go directly to adguard and not the router.

lleachii · July 26, 2025, 3:05am

Just use the same monitoring tool to analyze LAN and identify what devices are making requests to the router

It could be requests via IPv6, is it disabled somewhere?
If not, start there

JonSnow · July 26, 2025, 3:23am

Not sure which monitoring tools you are referring too, I can guess and check a few devices based on the queries, these do not look like ipv6 requests.

I have ipv6 disabled on the router.

lleachii · July 26, 2025, 4:34am

I assumed you meant looking at the router. You'd browse to:

Status > Realtime Graphs > Connections

Look for traffic destinated for your router at 53/udp - both IPv4 and IPv6.

I assume this means disabling the DNS server announcement and link local too?

JonSnow · July 26, 2025, 2:53pm

There are no connections to my router on 53/udp for ipv4, I see port 53 being used by my adguard server and one rouge IoT device which I'll need to investigate, but that would not cause the amount of queries I'm seeing from the router in adguard or the type of queries.

There are a bunch of ipv6 going to fe80 address on port 53, which I assume is the link local address?

_bernd · July 26, 2025, 2:56pm

Ipv6 RA can and should include announced DNS nameserver. Have you checked that? The default if dnsmasq is to announce itself as nameserver too.

JonSnow · July 26, 2025, 3:06pm

Can you point me in the right direction? I'm a bit lost when it comes to ipv6

_bernd · July 26, 2025, 3:16pm

If I'm not mistaken it's dns_service.

JonSnow · July 26, 2025, 3:25pm

I don't think it is ipv6, but here is how i disabled it.

Devices > br-lan >General > Enable IPV6 > disabled selected
Interface > Lan > advanced > unchecked 'Delegate IPv6 prefixes'
Repeat for all other vlans.

lleachii · July 26, 2025, 3:40pm

Yes, and I assume that's your router's IPv6 address.

Or the user could alter the address to the ULA of the Adguard server (assuming he didn't disable IPv6).

_bernd · July 26, 2025, 4:29pm

It is totally normally that within a subnet the link local addresses are used. That's why we have them in the first place.
But a user, messing with advanced setups, have to ensure that every piece and bit is properly configured. And not half baked.

JonSnow · October 19, 2025, 6:34am

Reviving this thread, as I still have not resolved this.

In the real time connections, I do see a bunch random ports from the routere going to my adguard host on port 53.

i.e. 192.168.1.1:36782

There is a bunch of these so unclear which client is using the router as a DNS.

I wonder maybe the secure DNS option in Chromium browser is causing this.

lleachii · October 19, 2025, 9:08am

I inquired because I wanted the OP to verify the addresses. But alas, maybe they can continue 3 months later.