How to force clients to use DNS server on OpenWrt AP?

Couple days ago, I set-up a dumb AP running OpenWrt at with DNS & DHCP duties all forwarded to the router at Today I decided to enhance the AP's functionality slightly by turning on dnsmasq and only use it as a DNS server (DHCP still forwarded to router).

The main goal is to use Steven Black's compiled hosts file to do some adblocking. Through a combination of configuration via SSH & LuCI, I've managed to modify the dnsmasq section of the /etc/config/dhcp config file to the following:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/'
	option localservice '1'
	list addnhosts '/root/hosts/StevenBlack.hosts'
	list server ''

And it appears to have been configured correctly on the AP at least, since when I run from the OpenWrt # nslookup, I get the following output:


Address 1:	canonical name =
Address 2: 2607:f8b0:400b:809::2002

Similar story for # nslookup Both of these domains are on the base compiled hosts file, and their IPv4 addresses correctly get resolved to

However when I connect to the WiFi generated by the AP through my phone and my PC, and go to a site that I know a priori to show ads from both ad domains above, those ads are still fully visible and clickable. When I run $ nslookup from my PC, the domain gets resolved to the ad's intended IP of, which I suppose means that it's not actually using the DNS server set-up on the AP. Also I did not manually set DNS servers on the network connection from my PC client, and simply left it as "automatic".

I wouldn't be surprised if it's something obvious that I've missed, which would lead me to facepalming once revealed. Any help and ideas are appreciated.


Just to elaborate a bit more, I'd like all clients, in particular smartphones & tablets, that connect to the AP's WiFi to be able to use the DNS server running on that AP itself.

Of course on my PC I can just manually set the DNS for the given connection to be that of the AP, and that does work, though I still do think it's an extra step and a bit of a hassle, especially if it must be done for all computers that connect to my network.

Is this doable?

rotuer is openwrt? if so un can use dhcp-optionst to push dns server to clients.

Actually my router isn't running OpenWrt, and it likely won't be, at least for a while. It's a stock modem/router combo from my ISP running their OEM crapware, which has malfunctioned, and won't even provide me the options to make any config changes through their webGUI. They said they'll ship me a new modem/router, but in the meanwhile I'm still waiting on it.

other option would be dns hijacking (i use it to bypass chromecast dns) but if your router does not allow you to do almost nothing i cant think of any other options.

1 Like

That's cool, I set it up as such:

Although what I'd like still isn't working yet, probably because the problem remains at the clients not actually sending their DNS queries to the OpenWrt AP for this firewall rule to take place in the first.

I'll leave the rule in place though, as it'll likely be useful down the line, so thanks for the idea.

Thanks for the suggestion, though this won't quite accomplish what I want at the present.

I didn't mention this earlier, but probably should have since it's very relevant. I have a second AP in the house (also running OpenWrt), which I don't plan to do this hosts-based filtering on, so that clients connecting to this one will have their name queries forwarded directly to the DNS server on the ISP router, or Google's, or CloudFlare's, etc.

Maybe down the line, I'd want hosts-based filtering to apply to the entire LAN, at which point your suggestion should work. But currently I'm only looking to do filtering for clients connected to AP1.

1 Like

missing ip? mine points to main router i guess yours should point to your ap dns.

1 Like

Note, that intercepting DNS requires a working firewall, which is not only typically disabled on a dumb AP, but also requires some extra steps to work with bridges.


I'd tried with it added too, but it didn't change the result (or lack thereof). So I just left it out, assuming that without specifying the forwarded internal IP, it'll just go to the device itself. But you're right, better to be more explicit.

Hmm, that's good to know and makes a lot of sense. I shall look into this.

1 Like

It would be easier to disable the dhcp server on the router of your provider and enable it on OpenWrt. This way you can advertise OpenWrt as nameserver and the ISP router as gateway (dhcp option 3).


Yea, I'll give that a shot once the new modem/router combo from my ISP arrives.

Using this method, for my AP2 whose connected clients shouldn't have DNS-based content filtering done, would it work to simply set its DNS server to not be AP1 (but still use AP1 as its DHCP server)?

You can differentiate the dhcp options offered to clients with tags. However if they belong to the same broadcast domain you'll have to differentiate them manually by mac address.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.