Make wgserver use different dnsmasq instance

Hi,

I have a external lancache server, and on the main instance of dnsmasq inside OpenWrt I point lancache.steamcontent.com to 10.244.244.5 this is for local use all fine, but not over wgserver, but I still want access to my local domain names and use nextdns.

I took note that luci got new options to create seperate dnsmasq instances which I made with success by making sure under excluded interfaces loopback is defined and on listening interface wgserver is defined, this way dnsmasq will not crash because it detected a double listening port on loopback.

So I did some testing and I'm kind of confused here, when I look to my.nextdns.com I can confirm to see a dns resolver from Odido this confirms to me this work, otherwise I would see nextdns.

But when I check the a record again to lancache.steamcontent.com I see the same A record as the default dnsmasq instance... when I type radarr.lan, or sonarr.lan I can connect to them which are both domains from the default dnsmasq instance... And I tested this on a mobile network over my wgserver instance.

So somehow I confirmed that wgserver interface is still not listening to my newly created dnsmasq instance.

My main question is: what is the proper way to make wgserver follow the second dnsmasq instance and follow its own dns records?

And my second question is: could it be that the added A records on the default dnsmasq instance overtake with the second dnsmasq instance?, hence the local service only being checked?

Thank you very much :smiley:

Edit:

I also tried turning off masquarading if that somehow magically clashed but no avail.

The wgserver does not listen on any dnsmasq instance.

The dns server server set on the wgservers interface is just added to the dnsmasq resolve file.

You set a dns server on the wg client.

So just set your routers ip address where dnsmasq is listening as dns server in the wg client.
Make sure to disable listen to local address only in dnsmasq config and let it listen on the wgserver if you do not allow to listen on all interfaces

After some fiddling around I think this is the best solution :+1:

I ended up creating a different dnsmasq instance but make the port on dns settings listen differently then it works just fine on loopback, then I made a portforward dns hijacking rule and it works :smiley:

If you keep the DNS hijack rule, I’d scope it as tightly as possible: source zone only wgserver, destination port 53 only, and redirect only to the second dnsmasq instance. That avoids accidentally intercepting normal LAN clients or the router’s own lookups. Also test one WG client with a hard-coded external DNS server, because that is the case the redirect is meant to catch.