Do not use ISP DNS Servers

Hey there,

I have trouble getting my custom DNS Servers to work, but let me first explain my setup:

I have three devices:

  • A TP-Link router which does not support OpenWrt and should act only as modem
    • IP 192.168.1.1
  • A TP-Link Archer C6 EU with OpenWrt 23.05 which is connected via Ethernet to the router above
    • IP 192.168.1.2
  • A GL-AR300M16 running stock firmware based on OpenWrt 22.03
    • IP 192.168.1.3

The two OpenWrt devices are connected via a 802.11s mesh network and both provide a WiFi for client devices.

Now I am trying to use dnsforge.de instead of my ISP DNS, however, dnsleaktest.com shows both DNS. How can I ensure only my custom DNS servers are used?

Here is my config:

TP-Link
`/etc/config/dhcp`
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '176.9.93.198'
        list server '176.9.1.117'
        list server '2a01:4f8:151:34aa::198'
        list server '2a01:4f8:141:316d::117'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '150'
        option limit '200'
        option master '1'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        list dhcp_option '6,192.168.1.2,192.168.1.3'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'localserver.example.com'
        option ip '192.168.1.98'
`/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:fc94:87ba::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        list dns '176.9.93.198'
        list dns '176.9.1.117'
        list dns '2a01:4f8:151:34aa::198'
        list dns '2a01:4f8:141:316d::117'
        option gateway '192.168.1.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'
`/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'MY-SSID'
        option encryption 'sae-mixed'
        option key 'MY-PASSWORD'
        option ieee80211r '1'
        option nasid 'MAC-1'
        option mobility_domain 'abcd'
        option ft_over_ds '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '10'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'
        option country 'DE'
        option noscan '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MY-SSID'
        option encryption 'sae-mixed'
        option key 'MY-PASSWORD'
        option ieee80211r '1'
        option nasid 'MAC-2'
        option mobility_domain 'abcd'
        option ft_over_ds '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id 'localmesh'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option ifname 'mesh0'
        option key 'MESH_PW'
        option network 'lan'
GL-AR300M16
`/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
list server '176.9.93.198'
list server '176.9.1.117'
list server '2a01:4f8:151:34aa::198'
list server '2a01:4f8:141:316d::117'
option noresolv '1'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
option start '150'
option limit '200'
list dhcp_option '6,192.168.1.2,192.168.1.3'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config domain
option name 'localserver.example.com'
option ip '192.168.1.98'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'

`/etc/config/network`
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd22:f06e:3841::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.2'
        list dns '176.9.93.198'
        list dns '176.9.1.117'
        list dns '2a01:4f8:151:34aa::198'
        list dns '2a01:4f8:141:316d::117'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

`/etc/config/wireless`
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT40'
        option channel '10'
        option cell_density '0'
        option noscan '1'
        option country 'DE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ifname 'wlan0'
        option key 'MY-PASSWORD'
        option ssid 'MY-SSID'
        option encryption 'sae-mixed'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option nasid 'MAC-3'
        option mobility_domain 'abcd'
        option reassociation_deadline '1000'
        option ieee80211r '1'

config wifi-iface 'guest2g'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ifname 'wlan0-1'
        option encryption 'psk2'
        option key 'goodlife'
        option ssid 'GL-AR300M-470-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'

config wifi-iface 'wifinet2'
        option ifname 'mesh0'
        option network 'lan'
        option encryption 'sae'
        option device 'radio0'
        option mesh_fwding '1'
        option mesh_id 'localmesh'
        option key 'MESH-PW'
        option mode 'mesh'
        option mesh_rssi_threshold '0'

You can't, unless you double NAT, and intercept the requests.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

2 Likes

Do you mean I can't ensure it because clients can always choose to not use the advertised DNS server?

In this case, I guess I should rephrase my question:

How can I make all clients only use dnsforge.de by default (and not my ISP)?

Reread my last post, or set the DNSes hard, on each device.

It'll probably still be ignored by some apps, like YouTube.

Can you elaborate a bit more, why this is not possible?

I previously had a setup with only one OpenWrt router and without the mesh and it was working fine. All clients were sending their DNS requests to the OpenWrt router which would resolve them using the specified DNS server...

It looks like you have one subnet and the ISP router is doing the DNS/DHCP.

If that is the case then setting a different DNS server on the OpenWRT and GLI-net router only works for a guest wifi on its own subnet but not for regular clients as that is done by the ISP router.

2 Likes

Between intercepting DNS you also need to set upstream dns servers (or DoH proxy pointing to them) as the only forwarders in DHCP/DNS and ignoring resolv file. It is enoughh to rig dnsmasq and do dnat juggle only on "router" closest top internet passing all others' traffic.

It has to be done on the "main" router (the one that does not support OpenWrt).

2 Likes

... which is why you've been told to double NAT.

1 Like

Thanks for all the answers!

I have now set on my ISP router the DNS server to 192.168.1.2 and 192.168.1.3 (my OpenWrt instances) and the all requests are answered by the OpenWrt routers (to test I enabled filtering A records and got empty responses on the clients).

However, OpenWrt still seems to use both, my custom and the ISP DNS servers according to dnsleaktest.

Can this approach to route DNS requests Client - OpenWrt - ISP Router - OpenWrt - Custom DNS Server work or do I need something else? Any ideas why it still uses also the ISP DNS servers?

Best is to set uncontrollable CPE to passthrough mode, as for it to bear less functions.

What's in your /var/resolv.conf.d/resolv.conf ?

(not 100% the path and file name is correct, got no device access ATM)

Here is the resolve configuration:

/var/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1
/var/resolv.conf.d/resolv.conf.auto
# Interface lan
nameserver 176.9.93.198
nameserver 176.9.1.117
nameserver 2a01:4f8:151:34aa::198
nameserver 2a01:4f8:141:316d::117

And those are .... the ones you want ?

Ah sorry, forgot to mention that :slight_smile: Yes, the 4 in the resolv.conf.auto are my desired DNS servers.

These are used only if some host queries dnsmasq on OpenWrt.
You'd need to ensure that connected hosts use OpenWrt as their nameserver.

How do I do that?

Currently, when I connect to my WiFi e.g. on a Windows PC, it is configured to use 192.168.1.2 (my primary OpenWrt device) as nameserver. Is that enough?

Scroll back to the 1st reply in the thread.

Ok, I think I got lost somewhere.

My current understanding is:

  • DHCP is handled by my ISP router which advertises 192.168.1.2 as DNS server
  • Clients are using this nameserver and sending DNS requests to my OpenWrt instance
  • When querying 192.168.1.2 with a DNS request, OpenWrt's DNS server will handle this
  • Currently OpenWrt's DNS server uses both, my configured nameservers and the nameservers advertised by my DSL provider

When and where should I now intercept the DNS requests? From my understanding, OpenWrt already has full control over DNS requests.

Then you should ignore the DNS advertised by the ISP. It's a setting in wan interface.
Run also an extended test in dnsleaktest.com to verify.

2 Likes