Is it possible to use ISP DNS + additional DNS as a fallback?

I have optimum online ISP and sometimes their DNS servers go down. Like 99.9% of the year they're fine and the other times they're not. What I do during those times is in Luci I'll uncheck Interfaces > WAN > "Use DNS servers advertised by peer" and in Use custom DNS servers I will add 8.8.8.8 as a Custom DNS server.

What I want to know is how I can leave "Use DNS servers advertised by peer" checked so that ISP DNS servers are used by default but then also use 8.8.8.8 as a fallback.

Is there a way to add a custom fallback while still keeping the ISP servers primary? I have searched for this topic on Google but all the instructions are how to effectively override the ISP DNS servers by disabling them and setting a custom one, like I described above.

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options

Option 6.

But if I add that option doesn't it mean that all clients will get 8.8.8.8 instead of dnsmasq using it as a fallback? What I'm saying is I want all clients to use 192.168.1.1 to go through the router DNS server (like they already do, in other words nothing changes for clients) but then dnsmasq can use 8.8.8.8 as a fallback

you can always point the clients to 192.168.1.1, then apply the upstream change in either dnsmasq or the firewall.

pretty sure there's no "backup" or "primary" DNS in dnsmasq, if you want it hard, configure a firewall rule rerouting the traffic, when you detect the primary DNS server is down.

you could also do 6,192.168.1.1,8.8.8.8

then the 192 will be primary for the clients.
if it goes down, they'll automagically switch to 8.8.8.8, and when the 192 comes back online, switch back, but not immediately.

I think that depends on the OS, often both are queried and the fastest is used.

DNSMasq has the option strict order which does not work very well but that comes closest: see my notes about it: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#how-dnsmasq-works-in-openwrt

But why would you use the ISP DNS server in the first place?
To be honest it is one of the first things I disable.

Better use a trusted third party DNS server preferably encrypted (DoT, DoH)
A simple solution is to use HTTPS DNS proxy or using SmartDNS

2 Likes

we've seen scenarios where the ISPs DNS server is providing services that will only resolve using their own DNS server, IPTV, VoIP etc ...

not very common, but it happens.

you can always tell dnsmasq to resolve those names using their DNS, the rest, elsewhere ...

1 Like

If the only concern is provider's DNS going down you you just set your DNS to a pair the public fast ones:

Ie in Luci -> Network->DNS and dhcp -> Forwards and enter a consistent pair of servers from any of providers (quad9 is most privacy friendly, google or cloudflare may be milliseconds faster)
There is more detailed setup possible like totally not using providers dns, or using it selectively for providers domains, or using some DNS encryption option,if you have relatively powerful router, thus please provide output of ubus call system board

Thanks for all the advice. I'm going to try the following for a few days:

  • Enable strict order (in DHCP and DNS advanced settings page)
  • Specify all DNS servers manually in the order I want.

This is possible because my ISP has used the same DNS server IP addresses for the last decade.

dns

Luci's status overview page now shows this:

DNS 1: 167.206.10.178
DNS 2: 167.206.10.179
DNS 3: 8.8.8.8
DNS 4: 8.8.4.4

cat /tmp/resolv.conf.d/resolv.conf.auto now shows this:

# Interface wan
nameserver 167.206.10.178
nameserver 167.206.10.179
nameserver 8.8.8.8
nameserver 8.8.4.4

https://www.dnscheck.tools/ shows that both optimum online (cablevision) and google nameservers are queried. I expected only optimum online nameservers would be used but maybe that is because of the recent problems with the optimum online nameservers. I'm going to give it a few days and see how it works.

All DNS servers are queried in round-robin fashion.

According to dnsmasq man pages
-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf
--all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

That is what the man page said but in reality strict order is not working very well it gives up very quickly and then tries other servers.

Beyter

8.8.8.8
.
/yourprovider.cc/167.206.10.178
.