Dnsmasq and dhcp DNS setup questions

I have lately found interest in the world of DNS, but we haven’t made it easy! Not even with dnsmasq-full

Is there any 1:1 conversion list between the dnsmasq official settings and Openwrt dhcp and network settings?

Like uci set network.wan.peerdns, what is peerdns called in dnsmasq? I can’t even find that in the official manual?
But it turns off the ISP dns server connection.

And uci add_list network.wan.dns is the same as dnsmasq server=

Why have we made non standard setup and why is it spread out between network and dhcp config file?

It is not connected to dnsmasq. It is substituting the isp advertised nameserver with the one specified there.

No, it is the specifying the dns if you don't get the one advertised from the isp.

So how do I get the “dnsmasq server function” in the dhcp config because I tried writing a server line in dhcp that and it didn’t solve anything.

uci add_list dhcp.lan_dns.server='1.1.1.1'
But what are you trying to achieve in the first place?

Note that you can also simply use /etc/dnsmasq.conf if you intend to play with dnsmasq itself.

For the list supported by OpenWrt have a look at https://openwrt.org/docs/guide-user/base-system/dhcp
What it is not on the table needs to be set as a native dnsmasq config in an option file which needs to be included...

I'm on mobile phone so can not check by myself but iirc there is already a default file included... Use ps to get the current running process of dnsmasq. That way you see where the current used config file lives in /var
In this file you should find a reference on the mentioned default include file. There you can put in your additional options not supported by OpenWrt UCI

The very first lines of the autogenerated dnsmasq.conf are:

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
...

1. Better order and some cleanup in the network.
2. DNSSEC
3. DoH or DoT

In that order.

Actually it was uci add_list dhcp.dnsmasq.server=<ip address>

I cheated and looked what luci would have done.

I changed the headline for the tread to fit the discussion more since I am pretty sure there are a lot of users out there as confused about DNS, Dnsmasq and dhcp as me.

Another question I found when I was cleaning up.
From the beginning when I made my static leases Luci put a line called dns=1 in every static lease I set up.

So I did the same in the rest of my static leases since I thought Luci know what to do.
But what does that line actually do, today for the first time I tried static lease with dns as 0 and 1 and pretty much nothing interesting happens. The IP is solved with the host name and internet works on the device?

Here it say dns do this, to be honest I don’t have a clue what that means?
https://openwrt.org/docs/guide-user/base-system/dhcp

Add static forward and reverse DNS entries for this host.

It depends if you have renamed the dnsmasq instance for lan interface, like I have, but yes the default is like yours.

Not sure I get it

uci set dhcp.lan_dns.dnssec='1'
uci commit dhcp
service dnsmasq restart

stubby or https-dns-proxy and make a server entry for the port they are listening

        list server '127.0.0.1#5453'
        list server '::1#5453'

That one is pretty complicated, but little like this. It is a lot easier when using host names instead of different IP depending on what config script setup is loaded in the router.

Will probably start with this alternative when that times comes.

--dnssec-no-timecheck

There is no setting for this in the dhcp config? But there is dnsseccheckunsigned but that without dns-no-timecheck have a NTP problem!

Is there any OpenWrt invented solution for this that isn’t documented?

And where is the settings for the trust-anchor?

What specific NTP problem are you referring to?

From the dnsmasq manual.

--dnssec-no-timecheck
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.

https://dnsmasq.org/docs/dnsmasq-man.html

So you are running down the man page testing all possible switches and comparing it to what's baked into OpenWrt?

What occurs when you run this test page

On Win 11 and Firefox 109.

ISP DNS server and DNSSEC=OFF (all red lines except: Correct signature: that is green):

Oh no! Your DNS responses are not authenticated:
DNSSEC using ECDSA P-256 (FAIL)

    Correct signature: connected
    Invalid signature: connected
    Expired signature: connected
    Missing signature: connected

DNSSEC using ECDSA P-384 (FAIL)

    Correct signature: connected
    Invalid signature: connected
    Expired signature: connected
    Missing signature: connected

DNSSEC using Ed25519 (FAIL)

    Correct signature: connected
    Invalid signature: connected
    Expired signature: connected
    Missing signature: connected

Cloudflare and google DNS servers and DNSSEC=OFF, (all lines green):

Great! Your DNS responses are authenticated:
DNSSEC using ECDSA P-256 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using ECDSA P-384 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using Ed25519 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

Cloudflare and google DNS servers and DNSSEC=ON, (all lines green):

Great! Your DNS responses are authenticated:
DNSSEC using ECDSA P-256 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using ECDSA P-384 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using Ed25519 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

So now it is actually even worse because now we have the other question, how do we actually turn off dnssec or what is the meaning off the option dnssec?!?

If I move the whole dnsmasq config out from the dhcp config file to dnsmasq.conf.

Then dnssec on/off function actually works.

That's is pretty interesting.

Are you now going to, or have you tested the other man page options in the dnsmasq.conf file?