How to properly set AdGuard Home server as upstream DNS in OpenWrt

Hello everyone!
I have a question how to properly set DNS server on my OpenWrt device to point to my AdGuard Home server.

Recently, I have added HP ProDesk G3 400 mini to my local network and installed Proxmox and AdGuard Home instance there. Now I want to force my router and LAN devices to use only this DNS server and avoid DNS leaks.

I have found three ways where I can set it:

1. Interfaces → wan → advanced → Use custom DNS servers
2. Network → DHCP and DNS → forwards → DNS forwards
3. Network → interfaces → LAN → DHCP server → advanced → DHCP options (6,192.168.1.186)

Where should I set it to work properly? Should I do it everywhere as above? What are the differences between these settings?

This?
4 . https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Thanks! But sorry, still don’t understand. I assume this guide is about DNS hijacking but it does not answer my question where I should point DNS resolver as I found three way where I can do that and not sure which is proper approach

Number 2 (and clear out the rest)

Thank you! Could you please also explain why and what are the differences?
If I set it up in DNS forwards only, then router itself will also use the AdGuard Home? Setting it up in all of these three places will make a mess?
My understanding (probably wrong) was that the best way will be to put it as DNS resolver for the WAN interface?

Depends on if you want to forward the requests via the router or have the clients query the AGH directly.

2nd option (your option 3) will make AGH see the actual device, not only the router as source of the queries.

Now I get it! So, actually both ways are fine - it more depends of what I want to achieve.
I can use AdG DNS for OpenWrt “globally” and then LAN devices will use OpenWrt as DNS resolver (which uses AdG in fact) OR I can forward DNS traffic to the AdG/advertise different DNS for LAN devices.
However, which approach is mainly used? Or which would you recommend with AdG? (few mobile phones, TVs, some other smart devices)

I'd def use the latter, since it'll give you the option of controlling what's blocked for each and every device (assuming AGH has this feature, I have no idea, I use Pi-hole ) and you'll see all the queries each device make..

Although, this will not work for clients with hardcoded DNS IPs, like Chromecast etc, those will have to be intercepted, using the link posted earlier.
If you create intercept firewall rule, make sure you make a hole for AGH, to be able to query upstream DNSes or you will be creating a loop.

Thank you for clarification!

What about combining 2. and 3. - DNS forwards with DHCP options? (or should i use DNS redirection?)
Do I still need to create firewall rule to intercept DNS?

Devices ignoring your DNS settings will require a firewall rule, if you want to catch them.

Thank you @frollic for your patience and clarification. Now everything makes sense.
I have one, last question:
If I set DNS forwarding in dnsmasq (to 192.168.1.186 AdG IP) then in DHCP option 6 I need also to specify the same address (192.168.1.186) and not router’s IP (192.168.1.1), right?

Technically the DNS forward isn't required, if DHCP option 6 is used, since (most of) the clients will honor it.
The rest will ignore whatever you tell them anyway.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.