# Using default server (127.0.0.1)
Name: cachyos.lan
Address: 192.168.0.142
Address: 2001:8f8:1825:3866::142
Address: fddc:3f1a:d1db::142
# Using dnscrypt-proxy (127.0.0.53)
Name: cachyos.lan
Address: 192.168.0.142
Address: fddc:3f1a:d1db::142
dnscrypt-proxy2 is already listening on 127.0.0.53, but currently clients query OpenWRT first, and dnsmasq sometimes returns the IPv6 GUA address before dnscrypt-proxy responds.
I want clients to automatically resolve via 127.0.0.53 and avoid leaking GUA addresses.
Has anyone successfully set up .lan cloaking like this? Any tips on configuring dnsmasq or routing queries would help.
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list addnmount '/usr/libexec/gzip-gnu'
list addnmount '/bin/busybox'
list addnmount '/var/run/adblock-lean/abl-blocklist.gz'
list notinterface 'wan'
list notinterface 'wan6'
option noresolv '1'
list server '127.0.0.53'
list server '/cachyos.lan/127.0.0.53'
I tried restarting my cachyos device and dnsmasq along with odhcpd, it seems to still show the GUA address unless I specifically use 127.0.0.53 during nslookup
I’m assuming this isn’t possible, but I wanted to check.
My use case might be a bit niche. I’m trying to use ULA addresses in my DNS entries instead of GUA addresses, mainly to simplify firewall configuration on my Linux system. I use ufw, which doesn’t support negative netmask notation like OpenWRT does, so working with GUAs is more cumbersome.
Another issue is VPN routing. When I whitelist IPs to use the tunnel, relying on GUA has been unreliable because my ISP frequently changes the IPv6 prefix. With ULA, the prefix remains stable, which makes management much easier.
If I’m forced to use GUA, I would need to route the entire IPv6 block assigned by my ISP. I’m concerned this could potentially cause routing issues somewhere down the line. That’s why sticking with ULA feels like the better long-term approach.
Is there any way to make this work, or am I out of luck here?
You could stop odhcpd from sending lease names to dnsmasq by removing the leasefile and leasetrigger options in the odhcpd config. Then there would be no DNS for GUAs, except anything you manually entered perhaps as static IPv6 ULA reservations.