DNS requests from different subnets to different DNS servers on different WAN interfaces

Multiple instances of your DNS server is another option. Either multiples of dnsmasq or some combination of dnsmasq and unbound would work.

1 Like

Would running 2 copies of dnsmasq break adblock?

If you're trying to separate your upstream DNS providers, you'd then likely need two instances of adblock as well (I'm assuming it works as a DNS proxy between the local server and the upstream servers).

See below

adblock doesn't really work like a proxy, instead it merely injects local DNS overrides (based on the fetched block lists) into dnsmasq's configuration answering with NXDOMAIN (server=/example.com/).

No, but I presume you have to enable adblock for extra instances manually.

Out of those options I think multiple instances of dnsmasq would be what I will try for, the problem is that the linked wiki page is a bit sparse in how to configure it.
I am mainly not sure if the given example of

config 'dnsmasq' 'hotspot'

is meant to replace the

config dnsmasq

at the top of /etc/config/dhcp or if it is in addition to it (and if so, do I need 2 of them or just the normal one plus the extra instance)?

Yep, you need to add an extra section.
Clone the options and modify them if required.

OK, the problem is now that I am not sure how a instance can be directed out a different WAN interface.
I guess that would require an iptables rule?

# Use ISP DNS for Dnsmasq instance #0
uci -q delete network.wan.peerdns
uci -q delete network.wan.dns
uci -q delete network.wan6.peerdns
uci -q delete network.wan6.dns
uci commit network
service network reload
uci -q delete dhcp.@dnsmasq[0].server
uci -q delete dhcp.@dnsmasq[0].noresolv
uci commit dhcp
service dnsmasq restart
# Use VPN DNS for Dnsmasq instance #1
uci -q delete dhcp.@dnsmasq[1].server
uci add_list dhcp.@dnsmasq[1].server="VPN_DNS1"
uci add_list dhcp.@dnsmasq[1].server="VPN_DNS2"
uci set dhcp.@dnsmasq[1].noresolv="1"
uci commit dhcp
service dnsmasq restart

That did not work,
I replaced "VPN_DNS" with the VPN DNS address but it just used the ISP one instead and each time I did

service dnsmasq restart

it printed

udhcpc: started, v1.28.4
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.28.4
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.28.4
udhcpc: sending discover
udhcpc: no lease, failing

uci show dhcp
netstat -l -n -p | grep -e dnsmasq
pgrep -f -a dnsmasq

OK, I think I made a mistake by running it as

uci add_list dhcp.@dnsmasq[1].server="10.255.255.2"

and not

uci add_list dhcp.vpn.server="10.255.255.2"

Which is what I named my instance as.

After that I now have

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].logqueries='1'
dhcp.@dnsmasq[0].serversfile='/tmp/adb_list.overall'
dhcp.@dnsmasq[0].notinterface='lanvpn'
dhcp.vpn=dnsmasq
dhcp.vpn.domainneeded='1'
dhcp.vpn.localise_queries='1'
dhcp.vpn.rebind_protection='1'
dhcp.vpn.rebind_localhost='1'
dhcp.vpn.local='/lan/'
dhcp.vpn.domain='lanvpn'
dhcp.vpn.expandhosts='1'
dhcp.vpn.authoritative='1'
dhcp.vpn.readethers='1'
dhcp.vpn.leasefile='/tmp/dhcp.leases'
dhcp.vpn.resolvfile='/tmp/resolv.conf.vpn'
dhcp.vpn.nonwildcard='1'
dhcp.vpn.localservice='1'
dhcp.vpn.logqueries='1'
dhcp.vpn.serversfile='/tmp/adb_list.overall'
dhcp.vpn.noresolv='1'
dhcp.vpn.server='10.255.255.2'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@domain[0]=domain
dhcp.@domain[0].ip='192.168.77.7'
dhcp.@domain[0].name='openwrt.lan'
dhcp.lanvpn=dhcp
dhcp.lanvpn.start='100'
dhcp.lanvpn.leasetime='12h'
dhcp.lanvpn.limit='150'
dhcp.lanvpn.interface='lanvpn'
dhcp.lanvpn.instance='vpn'

But no DNS access for the VPN or the normal network, both being sent to 10.255.255.2 (which is not what I want) but never getting a response (indicating it is try to reach it over the WAN).

uci rename dhcp.@dnsmasq[0]="dnsmasq"
uci set dhcp.lan.instance="dnsmasq"
uci commit dhcp
service dnsmasq restart

That fixed the lack of working DNS for the normal LAN, but the VPN LAN is back to using the ISP DNS.
EDIT: Setup a static route to force all 10.225.255.2 requests out via the VPN, but for some reason it is sending all DNS requests (including LAN) to 10.225.255.2 over the VPN (which is admittedly better than it sending everything over the WAN).

Then you should verify that Dnsmasq instances are bonded to the correct interfaces.
Compare interface addresses, Dnsmasq PIDs and runtime configs for those PIDs:

netstat -l -n -p | grep -e dnsmasq
pgrep -f -a dnsmasq

Also verify that your network is configured properly:

uci show network.lanvpn

23541 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.dnsmasq -k -x /var/run/dnsmasq/dnsmasq.dnsmasq.pid
23542 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.vpn -k -x /var/run/dnsmasq/dnsmasq.vpn.pid

tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 23541/dnsmasq
tcp 0 0 192.168.77.7:53 0.0.0.0:* LISTEN 23541/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 23541/dnsmasq
tcp 0 0 192.168.88.8:53 0.0.0.0:* LISTEN 23541/dnsmasq
tcp 0 0 "VPN ADDRESS":53 0.0.0.0:* LISTEN 23541/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 23541/dnsmasq

udp 0 0 127.0.0.1:53 0.0.0.0:* 23542/dnsmasq
udp 0 0 192.168.77.7:53 0.0.0.0:* 23542/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 23542/dnsmasq
udp 0 0 192.168.88.8:53 0.0.0.0:* 23542/dnsmasq
udp 0 0 "VPN ADDRESS":53 0.0.0.0:* 23542/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 23541/dnsmasq
udp 0 0 192.168.77.7:53 0.0.0.0:* 23541/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 23541/dnsmasq
udp 0 0 192.168.88.8:53 0.0.0.0:* 23541/dnsmasq
udp 0 "VPN ADDRESS":53 0.0.0.0:* 23541/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 23542/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 23541/dnsmasq

So it looks like both are on the same IPs for some reason.

config dnsmasq 'lan'
	option local '/lan/'
	option domain 'lan'
	option leasefile '/tmp/dhcp.leases.lan'
	option resolvfile '/etc/resolv.conf.lan' #copyresolv.conforadd2dnsupstreamorleaveorg
	option serversfile '/tmp/adb_list.overall'
	list interface 'br-lan'

config dnsmasq 'vpn'
	option local '/vpn/'
	option domain 'vpn'
	option leasefile '/tmp/dhcp.leases.vpn' 
	option resolvfile '/etc/resolv.conf.vpn' #addvpndnsmanually-oruse-upscripttopopulate
	option serversfile '/tmp/adb_list.overall' # use same file
	list interface 'eth2' # router-interal-interface facing clients

NOTE: dhcp section needs alternate names i.e.

config dhcp 'landhcp'
config dhcp 'vpndhcp'

/etc/openvpn/YOURVPN.conf

script-security 2  # to use 'up' and 'down' scripts
up "/etc/openvpn/updns"
#down "/etc/openvpn/downdns" # not using right now

updowngen.sh

cat<<'EOF' > /etc/openvpn/updns
#!/bin/sh
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /etc/resolv.conf.vpn
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf.vpn
EOF
chmod +x /etc/openvpn/updns
2 Likes

It looks promising, I optimized the code.

1 Like

Both of those scripts just result in an empty resolv.conf.vpn file.

You shouldn't expect everything to work flawlessly from the first try.
It requires some tuning in accordance with your configuration.
If you want to perform script troubleshooting, then enable debugging:

#!/bin/sh
set -x -v
exec &>${0%.*}.log
set
...