Hi, is it possible to make an IP address of adguardhome the default DNS so that all clients must use it? The local Adguard home instance that is not on the router is what I want to utilize in this situation; I tried using https-dns-proxy, but it only supports doh. It should also overwrite vpn interface dns just like https-dns-proxy.
You can:
- Set the OpenWrt system resolver to use the AGH address as its DNS server.
- When you do this, client devices will send a DNS request to OpenWrt and that request will be forwarded to the DNS server you've specified.
- The DNS server will see all requests as originating from the router itself, not the individual clients.
- This means that the DNS server won't be able to collect per-client statistics or provide client-specific responses, but the whole network will still get DNS responses from the AGH server.
- Use DHCP option 6 to advertise the desired DNS server address to DHCP clients.
- Assuming that the clients respect option 6, they will directly connect to the AGH server.
- This means that they will be individually identifiable wrt statistics and/or per-client customized responses.
- You can also setup DNS hijacking to redirect any other DNS server requests to your AGH server. (clients are not required to use the DHCP advertised DNS servers)
- The idea here is that clients that are hard-coded or otherwise set to use a different (public) DNS server will be forced to use the local specified server.
- This only works for standard DNS (not DoH/DoT) because part of the point with DoH/DoT is to be able to guarantee that you are actually getting responses from the server based on the certificates involved in the encrypted data.
4 Likes
These are three choices, correct? The best-sounding option is the third one. Where should the DNS be set globally? Or do I have to configure each interface's DNS? Or do I need DNS forwarding? (from the URL you linked)
They are three options, but they are not exclusive. You can use any one, two, or all three in combination. Typically, most users will choose an either/or for the first and second options; the 3rd option can be added if desired.
It depends on your goals and preferences.
If you want to set the OpenWrt system resolver (I.e. the 'global' setting), you can do that in the Dnsmasq configuration:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration
The DHCP server option (option 6) is added to the DHCP server configuration for your lan (and/or any other subnets).
Both of these are set in /etc/config/dhcp.
This is only necessary if you're using DNS hijacking.
1 Like
Alright, so I've configured dhcp 6 with the adguardhome IP on each interface, set the vpn interface's DNS to agh IP, set DNS forwarding for the IP under dhcp and dns, and created an intercept dns port forward rule. Adguardhome now receives all DNS traffic, but it only sees one IP address—openwrt—instead of each client. What went wrong? Additionally, even though I have a custom DNS IP on the vpn interface, it appears that the VPN DNS is occasionally being used.
This:
Instead, you probably want to do this:
Alright, it appears to be working now. Now i want to force that every device must use this dns, so i would do "Add a new rule to Network → Firewall → Port Forwards, setting “Protocol” as “UDP”, “Source zone” as “lan”, “External port” to 53, “Destination zone” as “unspecified” and “Internal IP Address” to my adguardhome ip and “Internal port” still 53" right? thank you!
Yeah, I don't think that works, "Add a new rule to Network → Firewall → Port Forwards, setting “Protocol” as “UDP”, “Source zone” as “lan”, “External port” to 53, “Destination zone” as “unspecified” and “Internal IP Address” to my adguardhome ip and “Internal port” still 53" Do you know what the correct way is?
Anyone know?