Force OpenWrt DNS Servers For All Devices & Software

I use OpenDNS FamilyShield DNS servers 208.67.222.123 and 208.67.220.123 on the WAN to keep kids safe. I have recently noticed that if I use the NordVPN browser extension that the DNS is bypassed. I also use Avast One, and the DNS is bypassed with it as well.

Is there a way to force everything to use the DNS servers specified in WAN or to prevent software from using its DNS servers and use OpenWrt DNS instead?

As long as the dns actually passes through the router, yes.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

However, if the client device is running a vpn, there is absolutely nothing you can do to prevent them from getting dns from whatever source they want.

Further, with DoT/DoH, it is more complex as you can block, but not hijack dns traffic.

2 Likes

Thank you for the reply. I was hoping there was some feature in OpenWrt that would combat this behavior and force everything to use the DNS servers specified in OpenWrt.

The best I got at the moment is to create a firewall traffic rule to block IPs for the NordVPN browser extension DNS 103.86.96.100 and 103.86.99.100 (which keeps it from working), and Avast One which uses 181.214.35.148 (and can be turned off in Explore > Device Protection > Web Hijack Guard and sat to OFF for Trusted networks).