Setting up DNS with openWRT

SFaulken · November 4, 2025, 11:51pm

My setup is currently as follows:

Router (openWRT One) using PPPoE, on the WAN port, Upstream DNS Servers set to .9 and .112 (The actual IP addresses don't matter)

The LAN port is connected to a Microtik Switch, and the LAN interface is setup with "Custom DNS Servers" of .202 (PiHole) and .254 (The openWRT One itself)

This setup is basically identical to the setup on my existing tp-link router that I'm replacing with an openWRT One, but my local clients on the LAN, the openWRT One is only issuing the .254 DNS server via DHCP, and my DNS requests seem to be incredibly slow

Am I missing something here?

To put it more generally, I want the WAN interface to use specific DNS servers, bypassing my ISP, and I want my LAN clients to use the PiHole first, and fallback to the openWRT One

dave14305 · November 5, 2025, 12:23am

The router will always advertise itself as the DNS server unless you override it with DHCP Option 6 in the LAN interface - DHCP Server - Advanced Settings - DHCP-Options field.

All the other Custom DNS entries on your interfaces end up as upstream servers to the router, not as options offered to DHCP clients.

uci add_list dhcp.lan.dhcp_option='6,192.168.1.202,192.168.1.254'
uci commit dhcp
service dnsmasq restart

SFaulken · November 5, 2025, 1:24am

I'll give that a shot, and let you know if it works, thanks!

dave14305 · November 5, 2025, 1:31am

You'll have to wait until every device renews its lease, or force a reconnection by restarting Wifi and bouncing your switch. But test it by forcing one client into airplane mode...

SFaulken · November 5, 2025, 1:37am

yeah, not an issue, the OpenWRT One isn't even on the network right now, as I had to toss the tp-link back in its place, as I've got family types that get all kinds of grumpy, if there were no internet all night.

nsasurveillance · November 6, 2025, 8:21am

Just pausing to appreciate you saying “I've got family types that get all kinds of grumpy, if there were no internet all night.” Listen, they don’t understand the sacrifice we make. Like, do they think I enjoy almost having an aneurysm trying to figure out why ___ is broken, just so everyone can have a safe, high-quality internet connection? Of course not; I, too, want to be doing my finest doom-scrolling or what have you. (Ok, maybe I do like tinkering a little, but, not when I nearly brick the router when a movie is on )

trevormcooper · November 10, 2025, 11:04pm

iv been wrestling with a concept im trying to nail down all day, this response hit me right in the feels lmao.

shep · November 12, 2025, 3:59am

I use the stubby package to bypass my ISP dns server

https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby

Maybe a couple of ways to set it up - perhaps stubby on the WAN facing hardware and on the fallback PiHole. The wiki directions use Cloudflare 1.1.1.1 and you could use Cloudflare’s second DNS 1.0.0.1. Or a mix of Cloudflare and another provider.

SFaulken · November 12, 2025, 11:54pm

Ok, so that has mostly worked, in that things resolving through the pihole (.202) do work just fine, but anything hitting the OpenWRT DNS server (.254) don't work. At least I assume there's a DNS Server running on the openWRT Router, or is that something I actually have to specifically enable?

dave14305 · November 13, 2025, 12:06am

dnsmasq should be running by default on the router, serving both DNS and DHCP. Run these commands on the router:

service dnsmasq status
netstat -nltup | grep ":53 "
nslookup openwrt.org 192.168.1.254
uci export dhcp

SFaulken · November 13, 2025, 12:55am

root@OpenWrt:~# service dnsmasq status
running

root@OpenWrt:~# netstat -nltup | grep ":53"
tcp        0      0 10.8.8.254:53           0.0.0.0:*               LISTEN      3816/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3816/dnsmasq
tcp        0      0 fe80::2205:b7ff:fe01:6c01:53 :::*                    LISTEN      3816/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      3816/dnsmasq
tcp        0      0 fd54:c760:7aa1::1:53    :::*                    LISTEN      3816/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           3816/dnsmasq
udp        0      0 10.8.8.254:53           0.0.0.0:*                           3816/dnsmasq
udp        0      0 ::1:53                  :::*                                3816/dnsmasq
udp        0      0 fd54:c760:7aa1::1:53    :::*                                3816/dnsmasq
udp        0      0 fe80::2205:b7ff:fe01:6c01:53 :::*                                3816/dnsmasq

root@OpenWrt:~# nslookup openwrt.org 10.8.8.254
Server:         10.8.8.254
Address:        10.8.8.254:53

** server can't find openwrt.org: REFUSED

** server can't find openwrt.org: REFUSED

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        option noresolv '1'
        option allservers '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        list dhcp_option '6,10.8.8.202,10.8.8.254'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'obfuscated'
        option ip '10.8.8.2'

config host
        option name 'obfuscated'
        option ip '10.8.8.75'

config host
        option name 'Obfuscated'
        list mac 'Obfuscated'
        option ip '10.8.8.50'

config host
        option name 'Obfuscated'
        list mac 'Obfuscated'
        option ip '10.8.8.202'

dave14305 · November 13, 2025, 1:01am

How about:

cat /tmp/resolv.conf.d/resolv.conf.auto
grep resolv /var/etc/dnsmasq.conf.cfg01411c

SFaulken · November 13, 2025, 1:08am

root@OpenWrt:~# cat /tmp/resolv.conf.d/resolv.conf.auto 
# Interface lan
nameserver 10.8.8.202
nameserver 10.8.8.254
# Interface wan
nameserver 9.9.9.9
nameserver 149.112.112.112

root@OpenWrt:~# grep resolv /var/etc/dnsmasq.conf.cfg01411c 
no-resolv

dave14305 · November 13, 2025, 1:13am

It looks like you have no upstream resolvers anymore in the dnsmasq config.

I’d suggest removing the custom DNS servers from the LAN interface settings, then removing the noresolv option.

SFaulken · November 13, 2025, 1:15am

I'll try that, but where do I unset that no-resolv at?

dave14305 · November 13, 2025, 1:18am

It’s called “Ignore resolv file” in the LuCI DHCP and DNS Resolv & Hosts files tab. Uncheck it.

SFaulken · November 13, 2025, 1:19am

Excellent! That did the trick, thanks!

system · November 23, 2025, 1:20am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.