Log DNS requests to syslog for one network

Hello i have OpenWrt 21.02.3 r16554-1d4dea6d4f on a xiaomi 4A.
I have setup a second network and a separate wifi. network is isolated from . so i want to enable the log of dns requests only for the network If i enable the option "Log queries" from Luci it logs everything. I don't want that.
Is it possible from ssh to do that ?

set up a 2nd DNS, and redirect the 10 subnet to it, or tell all the devices you don't want to log, to use some other DNS than your own.

thanks for reply @frollic . both networks use as dns their default gateway ( , ) i don't have a pi-hole or something similar so i rely on openwrt. and i have setup DNS (opendns) to wan(upstream). I have logs ofc from opendns but i want a more detailed syslog, like which device request what. i know that this will be hard job for my router but i don't expect heavy traffic from network.

if you're not doing anything fancy with the local DNS, point your regular clients directly to the opendns DNS IPs, while you use your local DNS for the 10.0.0 clients, then the only thing logged, will be the calls coming from the 10.0.0 subnet.

use the option 6.

1 Like

Setup a second dnsmasq instance for the isolated which will log queries.

1 Like

@frollic i try your suggestion. but i can see the requests from i guess i must try what @trendy said. i am still rookie with openwrt, so before i start setting up the second dnsmasq , i have to delete the default instance of DNS or i can add the second right away? thank you both.

after making the changes, you need to restart dnsmasq, and reconnect your clients, forcing them to make new DHCP requests.

1 Like

The first 2 lines of the script will do that for you. Then make sure that the INST variable is using the correct names of interfaces that you have.

I try that and it didn't worked. I try to reboot the router as last resort. But I keep getting logs.

then you probably did some kind of error in the configuration.

what IPs are your clients getting for the DNSes ?

I gave them the opendns ips from br-lan >DHCP. I also try from br-lan>Advanced settings.
And because I have these in custom rules iptables -t nat -A PREROUTING -s -p tcp --dport 53 -j DNAT --to iptables -t nat -A PREROUTING -s -p udp --dport 53 -j DNAT --to I disable them just to be sure.

Keep these rules disabled and create a new one:

uci add firewall redirect
uci set firewall.@redirect[-1]=redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='DNS'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_ip=''
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].src_ip=''
uci add_list firewall.@redirect[-1].proto='tcp' 
uci add_list firewall.@redirect[-1].proto='udp'
uci commit firewall
/etc/init.d/firewall restart

There is also IPv6 nameserver advertised, which will be preferred most likely.

i have disable the ipv6 until i manage to make it work with statefull DHCP. but i don't care about ipv6 right now.

i set the firewall rule but i still get from 'lan' the queries but instead of i get them from thanks for the help by the way.

Assign the loopback interface in the dnsmasq instance which doesn't log queries.

Okay, I made some tests.

  1. The rule works as expected - DNS queries from the specified network are not logged.
  2. Most likely you see only PTR queries from the router itself searching for a name in /etc/hosts or /tmp/hosts/dhcp.cfg* like this:
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 query[PTR] from
Thu Jun 30 12:36:25 2022 daemon.info dnsmasq[18334]: 328 /etc/hosts is pavel.homelan

From what I see, they are generated every time when LuCI is used, no matter the rule is active or not.


It seems you are right. luci generates the PTR. Ok thats a simple and nice solution but i have a question. the firewall rule aim to one dns ip how to set the second ip of opendns? i have to enter a new rule or i can add under this line uci set firewall.@redirect[-1].dest_ip=''
the second ip?

i broke something btw and i cannt see the network > firewall from luci i tried reboot and reinstall the firewall but it's not coming back.

It can't round robin a list of IPs. Practically the primary IP will always be online and available.