OpenWrt and DNS

Hi there,

I'm using dnscrypt-proxy2 and Im not sure if the can be placed in Ian or wan custom dns?
Cause Even with dnscrypt-proxy2 I can still see the isp DNS in status overview. But in dnsleaktest I only see my dnscrypt severs.
Thank you

Where in Status - Overview?

in network / IPv4 Upstream
I see the 3 dns from isp.
I know I can add a custom dns servers in lan or wan, and I've already use dnscrypt so I guess I can add instead of cloudflare or google etc

No. How would your router ( figure out how to send your request to when you type in in your browser?

In fact, those ip’s you’re seeing are never used as DNS resolvers if you’re using dnscrypt-proxy.

1 Like

Ok but when I'm connected with wireguard, I couldn't opkg update, failed to download and when i add in wan custom dns, it Works again.

by default your wan interface is connecting to your ISP modem, your ISP populates for example an IP address and DNS server address(es), which may or may not belong to ISP.
owrt's dnsmasq service covers couple of services, e.g. it acts a dns resolver, dns cache (and even DHCP).
the default owrt setup will leverage the DNS server address(es) as the upstream DNS resolver(s), so any client on your lan will ask dsnamsq first to resolve a domain name, if it cannot will ask the upstream server(s) (=ISP provided server(s)). Also as dnsmasq is a DHCP server it will send DHCP scope to your clients including itself as the DNS server.

if you want you can override the above mechanism in several ways:

  1. you can specify an upstream DNS resolver on the wan interface, it will override ISP provided one.
  2. you can specify an alternative DNS server in the DHCP scope so your DHCP lan clients will use directly this DNS server instead of the dnsmasq. This would override your lan client's DNS settings not owrt itself: i.e. if you do ping or opkg on the router itself it will use whatever is set in the /etc/resolv.conf file which by default is including the ISP provided server address(es).
  3. if you want security and or privacy and don't trust in your ISP you may use the aforementioned dnscrypt-proxy, in case you must tell dnscrypt-proxy who will be the upstream resolver and your DNS traffic will be encrypted in one way or another, again, bypassing ISP. in this case dnsmasq will use dnscrypt-proxy as upstream so all lan clients can leverage the benefit of encrypted traffic.
  4. wireguard is a different beast. you can configure wireguard in many different way, putting it whatever zone you want, dis/allow forwarding between wg zone and others ... so many reasons why wg is not working as you expect, and adding (which i guess is your lan interface's address) seems to solve your problem. but instead of doing that you should rather tell wg what dns server to use and/or put wg interface into a proper firewall zone. there are guides how to setup wg please check. also check resolv.conf (#2) as first step my guess it is pointing to your isp's dns.

and there are other challenges related to DNS:

  • there are apps (e.g. any recent web browser such as Chrome and Firefox) which default settings is to use a well-known public DNS resolver and bypassing your local lan configuration. E.g. in Firefox it is called "Enable DNS over HTTPS" and default provider is Cloudflare.
  • any lan client can override DHCP settings and configure a manual DNS server thus bypassing your lan configuration. there are guides how to force DNS traffic to your owrt dnsmasq in such case, i.e. silently all DNS traffic is directed to dnsmasq using firewall rules.
  • forcing DNS server as above is neither a complete solution because clients may use modern encrypted DNS solutions which cannot be re-directed. E.g. DNS over HTTPS is using port 443 which is common for all HTTPS so you cannot force to use your router as it would re-direct all HTTPS traffic not just DNS related, i.e. you would not be able to access any legit web server (even if you would know the ip address of the web site).

So I can leave my wan and lan custom dns servers empty even if I see the isp DNS in upstream ipv4.
But if it helps to use opkg update with WG, i could add in wan?
And yes is my router's IP.

by default dnsmasq listens on all interfaces so in theory you would not need to do anything ... but am not sure how your configured wireguard and i guess you might not assigned wg interface to right zone. nor you mentioned what is the purpose of wg for you, and that can also drive your required setup.
but if your only problem is that opkg cannot connect to internet that's a problem of owrt as a network device missing proper DNS config, which is configured in the /etc/resolv.conf. please note that /etc/resolv.conf is a symlink to which is automatically generated, thus IF your dnsmasq knows a working upstream DNS server (e.g. dnscrypt-proxy is indeed working) you can delete the symlink and create a hard file and put in. and i emphasize, IF dnsmasq has a working upstream. this way owrt as a network device will use dnsmasq too, and not the auto-generated ISP DNS config.

1 Like