How to use OpenWrt as DNS from different network?

PixWrt · August 20, 2022, 4:13pm

Here's my current network configuration:

Vodafone Station modem
    │
    └─ OpenWrt router via LAN
              │
              ├─ smartphone
              ├─ TV
              │
              └─ TP-Link router via Powerline (other room)
                        │
                        ├─ laptop #1
                        └─ laptop #2

The OpenWrt router is connected to the Vodafone Station via a regular LAN cable, and the TP-Link router is connected to the OpenWrt router via Powerline.

Due to issues with the powerline speed from OpenWrt I want to connect the TP-Link router directly to the Vodafone Station (via Powerline too):

Vodafone Station modem
    │
    ├─ OpenWrt router via LAN
    │         │
    │         ├─ smartphone
    │         └─ TV
    │
    ├─ TP-Link router via Powerline (other room)
    │         │
    │         └─ laptop #1
    │
    └─ laptop #2

How do I configure OpenWrt as the DNS

on the TP-Link router and
on laptop #2 (Ubuntu)?

I have already configured the Vodafone Station to give the OpenWrt router the static DHCP address 192.168.0.251, but when simply entering that IP address into laptop #2's DNS server text field, no Internet domains are resolved anymore.

Unfortunately, the Vodafone Station does not have a DNS setting itself, and modifying its firmware is not an option as the device is owned by Vodafone.

On the OpenWrt router I've installed the Adblock package which uses dnsmasq as its back-end. dnsmasq forwards local inbound DNS requests from port 53 to port 5453 at which Stubby listens. (I use Stubby for DoT and DNSSEC.)

To configure dnsmasq and Stubby, I strictly followed this tutorial by German IT expert Mike Kuketz.

Here are the commands I used:

uci add_list dhcp.@dnsmasq[-1].server='127.0.0.1#5453'
uci set dhcp.@dnsmasq[-1].noresolv=1
uci commit && reload_config

uci set network.wan.peerdns='0'
uci set network.wan.dns='127.0.0.1'
uci set network.wan6.peerdns='0'
uci set network.wan6.dns='0::1'
uci commit && reload_config

uci set dhcp.@dnsmasq[-1].dnssec=1
uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1
uci commit && reload_config

OpenWrt's firewall blocks access to port 53 via UDP and TCP to prevent devices from circumventing OpenWrt's DNS.

frollic · August 21, 2022, 5:20am

If the tp-link is connected via its WAN port, you'll have to allow the DNS traffic in the firewall.

Is it connected via a LAN port, the firewall have no purpose, since you're not routing the traffic.

PixWrt · August 21, 2022, 3:00pm

Okay, then that's what I'll do. Though, how do I actuall set up the DNS in the TP-Link router and laptop #2? Is entering the OpenWrt router's IP address sufficient?

PixWrt · August 22, 2022, 2:28pm

I just tried simply setting 192.168.0.251 as the DNS for the TP-Link router, but that resulted in no domains being resolved anymore (OpenWrt did resolve when directly connected to it).

frollic · August 22, 2022, 2:38pm

Well, you probably haven't set your openwrt router to use localhost as DNS.

You could try nslookup google.com 127.0.0.1

PixWrt · August 22, 2022, 2:57pm

root@OpenWrt:~# nslookup google.com 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      google.com
Address 1: 172.217.16.206
Address 2: 2a00:1450:4001:830::200e

Firewall rule for port 53 disabled:

DHCP and DNS > General Settings:

frollic · August 22, 2022, 3:04pm

So, how is your network configured now?

And how is the tplink openwrt router connected?

You could try the nslookup from laptop 2, using the IP of the tplink, as well.

PixWrt · August 22, 2022, 3:07pm

In what regard?

The OpenWrt router is connected to the Vodafone Station directly via a LAN cable, and the TP-Link router gets its internet from the Vodafone Station via Powerline.

frollic · August 22, 2022, 3:08pm

Using which port, on the tplink?

PixWrt · August 22, 2022, 3:10pm

I simply plugged the Powerline adapter's LAN cable into the TP-Link router's WAN port.

frollic · August 22, 2022, 3:15pm

This was the 1st reply you got How to use OpenWrt as DNS from different network? - #2 by frollic

Or reconfigure as dumb ap, but in your case, with dns enabled.

Or put laptop 2 behind the tplink router, then it's OK to use the WAN port.

PixWrt · August 22, 2022, 3:39pm

I disabled the firewall rule that blocked DNS traffic as you can see in this screenshot: How to use OpenWrt as DNS from different network? - #6 by PixWrt

Is 192.168.0.251 (OpenWrt's static IP in Vodafone Station's network) the correct IP in the first place? I mean, is the TP-Link router (connected to Vodafone Station too) even able to contact that IP address at all?

When my laptop is connected to Vodafone Station's WiFi, I'm able to ping 192.168.0.251, but nslookup google.com 192.168.0.251 returns a time-out error.

pavelgl · August 22, 2022, 4:35pm

This rule has nothing to do with what @frollic said in post 2:

uci add firewall rule
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].name='Allow-DNS-from-WAN'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='53'
uci commit firewall
/etc/init.d/firewall restart

PixWrt · August 22, 2022, 4:44pm

Ohhh, now I understand!

I ran your firewall commands, set 192.168.0.251 as the TP-Link router's DNS and opened https://dnsleaktest.com on my laptop (that is connected to the TP-Link router), and it indeed returned the 3 DNS services that are set as resolvers in OpenWrt – so it seems to have finally worked!

Thank you very much, @frollic and @pavelgl!

system · September 1, 2022, 4:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.