How to set custom DNS instead of ISP advertised?

Hi, I just flashed factory firmware to my Netgear R6120 and everything went perfectly. I was surprised how easy it was! I would like to thank all of you for that. Unfortunately, I have very limited knowledge when it comes to networking stuffs. Therefore, I am attempting to implement modifications solely when they are absolutely necessary. I am here today with the following issue I couldn't figure out even after reading documentation.

Using family safe DNS instead of ISP advertised: I tried this post with DNS hijacking and did not work. I also tried to set destination as WAN and LAN instead of unspecific in network/firewall/forwards, which made the internet experience terribly slow.

What did not work ?

You could use option 6 from https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options to advertise your custom DNS(es) to your clients, but then you need to permit dns traffic from the clients, which you probably blocked by applying the hijacking guide.

Thank you for the reply. I mean, my custom DNSes were not advertised by following steps from those links I mentioned. Did you mean to follow, "Providing custom DNS with DHCP"?

Seems to be the same, DHCP option 6.

Are sure they weren't advertised, not ignored by the clients, those are two different things... ?

I checked using DNS leak test such as this and found my ISP advertised DNS every time I checked. I didn't set any DNS in my client device.

Not what I asked ...

Sorry, I am totally a noob in this zone. Is setting DNS to automatic on client should ignore the advertised DNS from router? Are those steps supposed to work I mentioned in the first post?

Assuming the DNSes you've configure in the router actually are sent to the clients, they're still only "recommendations", not mandatory, unless you implement the dns hijacking steps.

Figure out how to check the DNS settings for your clients, or tell us what OS they run, and we'll help you.

Thank you for the patience. Please let me know whether the steps I am following currently to make my router advertise Cloudflare DNS are correct?

1. Started an SSH session,
2. Executed followings,

uci -q delete dhcp.lan.dhcp_option
uci add_list dhcp.lan.dhcp_option="6,1.1.1.3,1.0.0.3"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci -q delete dhcp.lan.dns
uci add_list dhcp.lan.dns="2606:4700:4700::1113"
uci add_list dhcp.lan.dns="2606:4700:4700::1003"
uci commit dhcp
/etc/init.d/odhcpd restart

3. Implemented DNS hijacking ,
4. Checked DNS on Ubuntu using ( nmcli dev list || nmcli dev show ) 2>/dev/null | grep DNS) and found following results,

IP4.DNS[1]:                             1.1.1.3
IP4.DNS[2]:                             1.0.0.3

But it is still showing the DNS requests originate from my ISP when I was checking using a leak test. This test spam link was supposed to be blocked according to Cloudflare.

Then you need to implement the dns hijacking, along with DoH and DoT server block, or disable DoH and/or DoT in your browsers and OSes.

Also make sure your ISP isn't intercepting your dns requests, if they are, you'll need to setup the https-dns-proxy package.

Is https-dns-proxy doing the same thing as DoH + DoT? I also disabled WebRTC on my browser. Now DNS leak test showing only the country not the ISP.

How can I implement Cloudflare DoH + DoT?

It's DoH, and you only need one of them.

There's a package called https-dns-proxy, simply install it along with the luci-app-https-dns-proxy UI package, and configure it.

It appears that it is working as expected. To sum up, in order to get a leak free custom DNS setup, all I needed is to install https-dns-proxy + luci-app-https-dns-proxy with configuration and implement DNS hijacking. That's all!

I am merely ensuring that I am not performing any redundant actions.

If you don't mind your ISP snooping, disabling webRTC might be enough.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.