Local dns resolving not working

Hi,
Setup:
Router is configured to access Intermet only via VPN with OpenVPN.
If OpenVPN connection drops, Router blocks Internet access to all devices (KILL SWITCH)
For privacy, I have also configured the LAN interface to use OpenDNS

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '1'
        list dhcp_option '6,208.67.222.222,208.67.220.220'
        list ra_flags 'none'

Lastly, one device on my local network is 'Bypassing VPN'

config vpnbypass 'config'
        option enabled '1'
        list localsubnet '192.168.8.50'

Ok so this works fine...well almost!

Problem:
Whenever (list dhcp_option '6,208.67.222.222,208.67.220.220') is set, the local device's hostname is not locally resolved anymore.

sergio@M93p:~$ ping spirarevault
ping: spirarevault: Temporary failure in name resolution

Goal:
I need DNS privacy and don't want to use the ISP's DNS
I need the local devices (on LAN) hostname to be resolved

What I have tried:
I removed (list dhcp_option '6,208.67.222.222,208.67.220.220') from LAN Interface and set in the WAN DNS servers while disabling peer DNS.
Then, the local device's hostname does resolve BUT the device 192.168.8.50 bypassing VPN can't resolve any Internet DNS anymore !?!

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option hostname '*'
        option type 'bridge'
        option peerdns '0'
        list dns '208.67.220.220'
        list dns '208.67.222.222'

I hope this all makes sense and that someone can help me resolve this.
Any hits would greatly be appreciated.

Here is the full Router config:

        "kernel": "5.15.53",
        "hostname": "R4Router",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyelec,nanopi-r4s",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.3",
                "revision": "r16554-1d4dea6d4f",
                "target": "rockchip/armv8",
                "description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:ab:cd::/48'

config device
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option hostname '*'
        option type 'bridge'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.8.1'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'EXPRESS_VPN'
        option proto 'none'
        option device 'tun0'
        option peerdns '0'

config interface 'WG0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '10.0.0.1/32'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option nohostroute '1'
        option peerdns '0'

config wireguard_WG0
        option description 'Spiramentum'
        list allowed_ips '10.0.0.2/32'
        option endpoint_host 'www.xxxxxxxxxxx.xx'
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'Bullet'
        option auto '0'
        option type 'bridge'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wwan'
        option proto 'dhcp'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option rebind_protection '1'
        option domain 'spirare'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '1'
        list dhcp_option '6,208.67.222.222,208.67.220.220'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.8.50'
        option name 'JoanneTab'

config host
        option name 'M93p'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.8.30'

config host
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.8.60'
        option name 'spirarevault'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WG0'
        list network 'Bullet'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wwan'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config zone
        option name 'Ex_VPN'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        list network 'EXPRESS_VPN'

config forwarding
        option src 'lan'
        option dest 'Ex_VPN'

config rule
        option name 'wg0'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip '10.0.0.2'
        option dest 'wan'
        list dest_ip '10.0.0.1'
        option enabled '0'

Put you DNS servers in order of preference, so it will be, if it is indeed the local resolver, the openwrt devices itself first then the other two OpenDNS IPs.

or whichever IP is being used for your local name resolving services followed by any other dns server you want to use

Just tried this...is this what you suggested ?

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '1'
        list dhcp_option '6,192.168.8.1,208.67.222.220,208.67.222.220'
        list ra_flags 'none'

Local devices hostname are not resolved on the local LAN either from M93p (Desktop) or the Router (192.168.8.1) !

Put your own 192.168.8.1 DNS as the one for the clients (and lan side openwrt), and use the external ones added with option 6, as upstream DNSes for the router.

Just be careful so you don't create a loop.

I am not sure how to do this ?
Do I put 192.168.8.1 as Custom DNS Server in the LAN and put the OpenDNS 208... in the WAN Interface ?

You can remove the custom DNSes, the router will put itself as DNS, that's the default.

For the WAN interface, you can override the DNS IPs.

OK, I understand perfectly. The problem I get when I do this is the one device on my LAN that Bypass VPN can't resolve any external (Internet) DNS. From that device, a DNS leak test shows that the DNS request are going inside the VPN...what is going on ?

Sound like a firewall rule to me.

Ah !
Investigating...

UPDATE... Nothing is found in Firewall Rules.
So I am back to the initial problem where with in the LAN Interface - list dhcp_option '6,208.67.222.222,208.67.220.220' in order for the VPN-Bypass device to have DNS resolution from the Internet but no DNS resolution for any of the devices on the LAN.

Then check that dns the failing client get from the DHCP, when those option 6 IPs are removed.

It might be wise to lower the leasetime of DHCP to a minute or two during configuration.

I am not sure what you mean by 'check that dns the failing client get from the DHCP"
However I get this from the failing client and the ping freeze after the first line.

sergio@M93p:~$ dig google.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31638
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             60      IN      A       212.115.105.72

;; Query time: 347 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat May 20 23:43:02 NZST 2023
;; MSG SIZE  rcvd: 55

sergio@M93p:~$ ping google.com
PING google.com (212.115.105.72) 56(84) bytes of data.
^C
--- google.com ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8198ms

Below is an extract from syslog after I used the browser and did a Google search:

Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 109 192.168.8.30/57495 query[AAAA] www.google.com from 192.168.8.30
Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 109 192.168.8.30/57495 forwarded www.google.com to 208.67.222.222
Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 110 192.168.8.30/39187 query[AAAA] www.gstatic.com from 192.168.8.30
Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 110 192.168.8.30/39187 forwarded www.gstatic.com to 208.67.222.222
Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 111 192.168.8.30/51650 query[A] encrypted-tbn0.gstatic.com from 192.168.8.30
Sat May 20 23:53:43 2023 daemon.info dnsmasq[18038]: 111 192.168.8.30/51650 forwarded encrypted-tbn0.gstatic.com to 208.67.222.222
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 111 192.168.8.30/51650 reply encrypted-tbn0.gstatic.com is 142.250.189.14
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 112 192.168.8.30/39232 query[AAAA] encrypted-tbn0.gstatic.com from 192.168.8.30
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 112 192.168.8.30/39232 forwarded encrypted-tbn0.gstatic.com to 208.67.222.222
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 113 192.168.8.30/49736 query[AAAA] e101729.a.akamaiedge.net from 192.168.8.30
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 113 192.168.8.30/49736 forwarded e101729.a.akamaiedge.net to 208.67.222.222
Sat May 20 23:53:44 2023 daemon.info dnsmasq[18038]: 113 192.168.8.30/49736 forwarded e101729.a.akamaiedge.net to 208.67.220.220
Sat May 20 23:53:46 2023 daemon.info dnsmasq[18038]: 114 192.168.8.42/37069 query[A] play.googleapis.com from 192.168.8.42
Sat May 20 23:53:46 2023 daemon.info dnsmasq[18038]: 114 192.168.8.42/37069 forwarded play.googleapis.com to 208.67.222.222
Sat May 20 23:53:46 2023 daemon.info dnsmasq[18038]: 115 192.168.8.30/39572 query[AAAA] public-metservice-com.cdn.red-shield.net from 192.168.8.30
Sat May 20 23:53:46 2023 daemon.info dnsmasq[18038]: 115 192.168.8.30/39572 forwarded public-metservice-com.cdn.red-shield.net to 208.67.222.222
Sat May 20 23:53:46 2023 daemon.info dnsmasq[18038]: 115 192.168.8.30/39572 forwarded public-metservice-com.cdn.red-shield.net to 208.67.220.220

It looks to me like the DNS query goes out and a reply comes back with the IP... But the browser does not get to the requested page after receiving the IP. This is relatively new to me, but this is what I think is happening.

Name resolution appears to be working, then it's not DNS related, but probably routing.

Take note that the router itself also should be able to do DNS lookup to resolve the URL of the VPN, to resolve NTP servers etc.

So make sure you set some upstream DNS resolvers even if you use option 6 to set the DNS directly on the client.

I went kind of out of my way to do this for you, please check the following:

• disable the openvpn service
• stop the openvpn service
• In the Router/Luci go to network->diagnostics>press IPv4 ping

PING openwrt.org (139.59.209.225): 56 data bytes
64 bytes from 139.59.209.225: seq=0 ttl=51 time=74.606 ms
64 bytes from 139.59.209.225: seq=1 ttl=51 time=63.997 ms
64 bytes from 139.59.209.225: seq=2 ttl=51 time=64.349 ms
64 bytes from 139.59.209.225: seq=3 ttl=51 time=64.753 ms
64 bytes from 139.59.209.225: seq=4 ttl=51 time=65.901 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 63.997/66.721/74.606 ms

• system->system>Time-Synchronization
  ntpclient
  NTP server candidates
  pool.ntp.org
• network->dhcp & dns>general settings>DNS forwardings
  208.67.222.222
208.67.220.220
• network->interfaces->edit: lan->dhcp server>advanced settings>dhcp options
  6,192.168.8.1

Then renew your lease on a client (or wait for lease time to expire) and test it which should give you something like this:

# nslookup mypc.lan
Server:		192.168.8.1
Address:	192.168.8.1#53

Name:	mypc.lan
Address: 192.168.8.21

Then

• start the OpenVPN service and test resolving again for openwrt.org but now on the client:

# nslookup openwrt.org
Server:		192.168.8.1
Address:	192.168.8.1#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

If all went well, you can now

• enable the OpenVPN service

and hopefully

Indeed...that is great...shifting focus on routing next...thanks

You can always start from scratch, doing a reset ,)

Indeed, I have been thinking about starting back from a clean install and it might come to this BUT preferably not before understanding a bit more about what is causing the problem and obviously learning more about DNS and Routing on and off the forum as I am doing now.

None of the replies I get from all of you guys on the forum are going to waste !

Kind of you to have spent time on my little problem.
Very instructive post... setting network->dhcp & dns>general settings>DNS forwardings as well as network->interfaces->edit: lan->dhcp server>advanced settings>dhcp options did the trick.
nslookup is quite handy tool.
Thanks