How to configure custom DNS servers

I don't want to use my ISP's DNS servers, but I'm a little confused as there seems to be multiple places to configure alternate servers.

Using the LuCI interface, I can go to the WAN and WAN6 interfaces, under Advanced Settings, and clear the "Use DNS servers advertised by peer" checkbox. But then I can either enter the custom DNS servers there for the WAN interfaces, or I can enter them on the LAN interface page.

Also, the Network > DHCP and DNS page has a place for "DNS forwardings".

I entered my custom servers on the LAN interface page and it seems to be working fine. I'm just wondering whether there is a preferred way to do this, pros and cons, etc.

Thanks in advance. I'm running LEDE 17.01.4 on a WRT1900ACS.

1 Like

These are the correct steps I believe; it's how I've been setting up my LEDE-powered routers anyway.

You can test if it's working by going to https://www.dnsleaktest.com

1 Like

I employ the “Use DNS servers advertised by peer” method and add my own DNS servers, but there is another option:

  • You can edit the LAN DHCP to directly hand out your preferred DNS servers to the clients, this is done under "DHCP-Options" section on Interfaces.

This would be a double step though, since you still have to specify WAN DNS servers or Resolvers if you want the router to resolve hostnames. Adding the DNS to the LAN interface only allows the router's LAN IP to resolve hostnames. But, if you're concerned about DNS leaks (which I've never observed), the LAN DHCP method would completely solve the problem.

Thanks. Some of that is over my head but I think I got some of it too.

But this confuses me,

as I have not specified WAN DNS servers, I only have them on the LAN interface, yet name resolution seems fine. I just pinged one of the NTP servers from the router command line and that worked too. So the router itself seems OK, as do clients.

Yes, in your case, the Interface on which you placed the nameservers is configured to use your WAN. If such weren't the case, it might not work.

By default, LEDE's Dnsmasq hands out the router as DNS server. Dnsmasq can then use:

  1. its configured resolvers, or
  2. the nameservers of the Kernerl's interfaces

Hope this helps.

Great, thanks again. In checking the clients I did see that they had the router's IP as the DNS server.

Upon un-checking the "use advertised" and inserting 9.9.9.9 and 149.112.112.112, upon router reboot I have no internet access. Those DNS numbers were inserted under the Interfaces WAN section. Do I need to put them in the LAN only, both areas? I am running an otherwise working OpenVPN with an exit node of choice.

Did you create a route for those IPs that exist on the VPN interface?

Looking the the Interfaces, and the two VPN interfaces, CSVPNTUN
CRYPTOSTORM_VPN, neither has a way to see what IPs they use. Only the LAN shows an IP address. LAN ip is: Pv4: 192.168.0.1/24

I use custom DNS servers in the WAN interface only.

In your example, when you SSH in to the router and run cat /etc/config/network , the WAN entry for DNS should look like this...

   config interface 'wan'        
        option dns '9.9.9.9 74.82.42.42'

To use them in OpenVPN, add the following to your .ovpn file...

dhcp-option DNS 9.9.9.9
dhcp-option DNS 149.112.112.112
1 Like

Added the DNS lines into my .ovpn. Still leaking, but I do have Internet access.

Try adding the following to your .opvpn file...

block-outside-dns

Hmm
I always remove all DNS servers from all interfaces.
And then i set the DNS servers directly in dnsmasq.

Name resolution on the router should always work because the DNS servers of all interfaces are getting collected in the resolv.conf file, along with 127.0.0.1 (the dns resolver instance on the router (dnsmasq, unbound or whaterver))
Atleast if you don't uncheck the “Use DNS servers advertised by peer” box or if you don't setup any dns servers anywhere.
If you have option noresolv '0' (default) dnsmasq will query all dns servers it can find in the resolv.conf file and also the servers which you can set up in dnsmasq directly.

Currently i have

search lan
nameserver 127.0.0.1

in my resolv.conf file. Because no nameservers are configured on the interfaces and the “Use DNS servers advertised by peer” box is unchecked.

and

list server 'x.x.x.x'
list server 'x.x.x.x'

In my dhcp config file. (dnsmasq)
Works x)

Disadvantage here is if dnsmasq goes down, resolving will not work on the router.

2 Likes