Setting router as DNS for only selected device?

dnscrypt-proxy is running on router. ISP has optimized DNS for some local services using their route, but has DNS hijacking for other things.
I want to use dnscrypt-proxy for myself, and set ISP DNS for others.
The idea is: Let DHCPv4/v6 give ISP DNS directly by default, and give router IP to my devices only.


  1. Devices like other's phones and my Nintendo Switch don't allow specifying DNS port, so I can't just bind the 2 DNS resolver to 2 different ports. Keeping dnsmasq is easy, but forwarding my requests to dnscrypt-proxy causes double caching. ISP DNS resolvers are close and numerous (2nd problem, they could change), so I want to keep dnscrypt-proxy instead to make things simple.
  2. When using router as DNS, DHCPv6 gives the link local IPv6 address for IPv6 DNS, which is very nice. The address may change upon network change (not sure if IPv6-privacy is enabled on router), so I want it to stay automated.
  3. Others don't know how to or want to set DNS manually.
  4. dnscrypt-proxy has no option to only serve LAN (if I bind multiple addresses with [::]:53)

The options on LuCI doesn't seem to be able to fully do this.
In /etc/config/dhcp I see some options:

  1. dnsmasq.localuse: If I turn it off, does it cause router to use ISP DNS?
    Or is this option making the router announce itself as DNS?
  2. dnsmasq.port=0 disables DNS.
    EDIT: Also disables DNS in DHCPv4...
  3. host.dns probably irrelevant
  4. tagging but then it's manually assigning DNS

On a side note:

  1. The process tab says dnscrypt-proxy is taking 265% memory? But the memory usage in overview is low.
  2. LuCI sometimes deletes other entries when I make a change (like setting dns port to 0 caused it to remove boguspriv=1 & nonwildcard=1). Is this normal?
    Version: OpenWrt 21.02rc3, dnscrypt-proxy 2.0.46-beta3
1 Like

Idea: You can advertise an unused IP as NS for those clients and do a DNAT to the local IP:port of dnscrypt.

1 Like

Client classifying is supported only by dnsmasq, but not odhcpd.
Add a DNAT redirect as proposed by @trendy and use src_mac to match your client.

1 Like

Correction: odhcpd does not give IPv6 link local address with dns_service enabled, instead it's a Unique Local Address with suffix ::1 (the ULA prefix/range was generated beforehand and are being handed out the clients).
Though IMO ideally some additional configs in the form of static lease would be nicer than the tagging thing...

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.