Multitude of DNS settings: wan DNS vs lan DNS vs DHCP options vs Dnsmasq DNS forwarding

Hello. An openwrt noob here.

I'm trying to wrap my head around all the available DNS options.

There are 4 DNS-related configuration areas available:

1. "Network -> Interfaces -> wan -> Advanced Settings -> Use custom DNS servers"
2. "Network -> Interfaces -> lan -> Advanced Settings -> Use custom DNS servers"
3. "Network -> Interfaces -> lan -> DHCP Server -> Advanced Settings -> DHCP Options
4. "Network -> DHCP and DNS -> DNS Forwardings"

Of the above four only the "DHCP options" (3) makes sense to me. Other options leave a lot of fog in my head around this topic.

I did some forum search and some answers to similar questions say that the DNSs in "wan -> Advanced Settings" and "lan -> Advanced Settings" are used by the router itself.

I'm not sure I understand what exactly that means:

1. "Router itself" - does it refer to some particular processes running on a router that need DNS?
2. So does it (the "router itself") use WAN or LAN DNS, after all?
3. How does "DHCP and DNS" tab fit into the picture, i.e. what is its role?

Might have I missed some wiki/etc section that explains all that? Maybe someone can kindly point me to a description of a DNS request lifecycle in the openWRT world, i.e. from its inception on a connected client, through the entire delegation/forwarding chain with all the pivotal points/possible overrides, to a "final" DNS server?

Yes, several processes, but the needs do depend on how the device is configured (router vs dumb AP, other user installed packages, etc.). The basic processes involve things like NTP (local) functioning as a DNS server in its own right (the default config of OpenWrt will make the router itself the DNS server advertised via DHCP). Of course the opkg package manager needs DNS, and other packages installed by users may need it, too.

The router will use either the forwardings as setup in the dnsmasq config, or the 'upstream' DNS. In the case of router mode, the upstream is almost always the wan -- in this case, any dns servers configured in the lan interface stanza are ignored. This applies either via static IP for the wan or DHCP/PPPoE with the peer-dns disabled (i.e. "don't use the advertised DNS servers"). A dumb AP will use the lan (and there is no wan), so here the lan interface's defined dns server would be used. So it depends on how things are configured.

This allows the admin to set the main system dns and/or selective forwardings for specific domains. It can alternatively be used to configure the system to respect DNS filtering such as AGH or DoH/DoT implementations.

If you're using DHCP option 6, that is not for the router itself, but rather what is advertised to DHCP clients on your network.

I don't see a great OpenWrt specific wiki entry, but the general info is below.

In the meantime, here is another article that kind of describes the DNS process overall (not OpenWrt specific).

Basically, in most configs, the devices behind the OpenWrt router will use OpenWrt as the DNS server... they request a domain resolution and OpenWrt will evaluate the request... if it has the address in cache or in a local resolution table (such as for local hosts), it will respond directly. If not, it will ask the next upstream DNS -- usually this is the ISP's servers or a public one chosen by a user.

Since this topic interests me too...

how can I make dns requests to be resolved only from 1.1.1.1 and if it fails from 8.8.8.8

I deliberately ignore the DNS communicated by my ISP ( option noresolv '1')

currently this is an excerpt of my configuration "/etc/config/dhcp"

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option localuse '1'
        list interface 'lan'
        option noresolv '1'
        list server '1.1.1.1'
        list server '8.8.8.8'

My two cents:

strict-order might do what you want, sort of, in my experience it quickly gives up and then queries all available DNS servers

But otherwise your settings are OK, noresolv means it does not use the DNS added at other places but relies on the

list server '1.1.1.1'
list server '8.8.8.8'

you have placed in config dnsmasq

I had read somewhere about the "strict-order" option but its use was not recommended.

I currently use dnsmasq by inserting only the 1.1.1.1 server
because if I insert them both I don't know why but all requests are resolved by 8.8.8.8

It queries all by default and uses the fastest.
You can use strict-order but as said it is not very reliable.

It was used in the past to 'insert' the VPN DNS server when the VPN was on but that proved not very reliable (to make matters worse it also differed by DNSMasq version, if I recall correctly 2.86 was really bad)

currently the version of dnsmasq I have is:

opkg list-installed | grep dnsma
dnsmasq - 2.89-7

could I solve this problem by switching to DoH or DoT ?

on your router the DNS will be in this order:

hosts file
any custom overrides in your settings you are confused about
then finally WAN

I would try strict-order and see if that works for you.

I assume this...

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option localuse '1'
        list interface 'lan'
        option strictorder '1'
        option noresolv '1'
        list server '1.1.1.1'
        list server '8.8.8.8'

graphical interface "luci" after enabling the "strict-order" function on the configuration file also shows it

if this configuration is active the site:

it only shows me "Cloudflare" servers

For test the hypothesis of connections 1.1.1.1 impossible.
I set a firewall rule and in a transparent way the DNS requests are processed by 8.8.8.8

/etc/config/firewall

config rule
        option name 'test_remove_all_connection_to_1111'
        option family 'ipv4'
        list dest_ip '1.1.1.1'
        option target 'DROP'
        option dest '*'

do you have any other idea to test/verify

You can increase dnsmaq log verbosity or look in the connection tracking for port 53

Thanks a lot for taking time to give such an exhaustive answer!

For the record to see the conntrack:
cat /proc/net/nf_conntrack | grep -E ' dport=(53|853) '

If your router supports watch:
watch -tn5 "cat /proc/net/nf_conntrack | grep -E ' dport=(53|853) ' | sort -nrk3"

DNSMasq logging:
logqueries boolean 0 --log-queries=extra Log the results of DNS queries, dump cache on SIGUSR1, include requesting IP
e.g.:
option logqueries '1'

I always forget that there is the possibility to inspect active connections via:

cat /proc/net/nf_conntrack

A thousand thanks
​

a general question I read the following article

https://dnsmasq-discuss.thekelleys.org.narkive.com/ZJf4EWrZ/implementation-of-doh-in-dnsmasq#

In your opinion, DoH support or DoT support directly incorporated into dnsmasq would be more useful

or in your opinion is it better to support DNS resolutions through DoH or DoT
​

I use SmartDNS as upstream resolver for DNSMasq to use encrypted DNS (I use DoT but you can also use DoH).

But I am not a SmartDNs expert

I could know your opinion, in your opinion if a direct support built into dnsmasq for DoH or DoT could make sense

I tried both the stubby package and the https-dns-proxy package (obviously both work) but they didn't convince me much.

but this is my opinion

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.