Set different DNS for specific interfaces?

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a setup running OpenWrt 22.03.3 where I have multiple interfaces such as LAN, guest, wireguard VPN for remote access etc.

Can I set different DNS servers for those interfaces?

The reason is I want to redirect DNS for the LAN and guest interface to a Pi-Hole container running in docker on the OpenWrt system. But DNS on other interfaces, such as the Wireguard interface, I would like to still use ISP DNS for resolving the peer's hostname.
If the Pi-Hole container for some reason is down I would still like the Wireguard interface to be able to resolve the peer so i can remotely manage and troubleshoot the system.

2

Yes, but OpenWrt uses the DNS servers assigned to the outbound (i.e. usually Internet/WAN) connection.

Use DHCP Option No. 6 to assign the PiHole DNS IP to the clients on that network. There are threads on how to make that DHCP config.

3

image
Thanks for the reply. I saw in the AdGuard Home tutorial you can set specific DNS forwarders for specific domain names. https://openwrt.org/docs/guide-user/services/dns/adguard-home#bypassing_encrypted_dns_for_ntp

Can I set e.g /mywireguardpeer.example.com/1.1.1.1 so the wireguard peer domain name is always resolved with cloudflare? Is this what this setting is used for?

4

Do you want to:

  • Use different DNS servers for different clients; or
  • To use a different DNS server depending on what domain/host is being resolved?

Honestly, I know such a setting is possible; but I've never used it myself (and I cannot find a relevant thread thru search).

@trendy @Borromini @pavelgl @psherman - perhaps one of them can confirm.

5

Option #2. If the domain mywireguardpeer.example.com is resolved it uses a specific DNS server for only that domain name. All other DNS queries are resolved using the Pi-Hole, Adguard or similar.
This is just to ensure that even if the Pi-Hole instance is down, the router can still resolve the hostname of the wireguard peer, and letting me SSH into the (remote) router for troubleshooting.

I don't have physical access and the router is behind CGNAT, so the wireguard connection has to be started FROM the router (to another OpenWrt router in a site-to-site config).

6

Yes, all DNS requests to resolve mywireguardpeer.example.com will be sent to 1.1.1.1

3 Likes
7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.