Split DNS per devices

Dear OpenWRT gurus,

I need your help with my setup. I am quite beginner to this and I am having some struggle with dns forwarding based on gateway.

Here is my setup:

  • typical LAN zone, forwarded to WAN and VPN zone (wireguard client)
  • dns hijacking and fitering using adblock-lean. I managed to get no leaks by also blocking dot, using doh blocklist etc. All LAN clients end up going through the dns flitering, even if they set different dns locally or use encrypted dns.
  • only VPN interface has a custom DNS entry specified (specifying one in WAN resulted in some DNS leaks)
  • everything set up to go through the VPN interface
  • HTTPS DNS Proxy enabled: routes through vpn and accesses configured server from VPN country
  • HTTPS DNS Proxy disabled: accesses the VPN provider dns

so far everything working as desired, mostly thanks to searching this forum!

Additional goal:

  • I want to be able to specify if some devices in the lan network should go through WAN (both trafic and DNS requests)
  • I want this to be a single-place entry. Ideally I can modify this from LuCI in one place

What I tried:

  • disable HTTPS DNS Proxy for all the below. Didn't even reach to that point yet.
  • using a PBR policy for the device IP, I see that only the traffic gets routed through WAN, but not the DNS
  • I tried to set a DNS policy for the device IP, but nothing really changed. I assume it is because dnsmasq on the router is the one that forwards?
  • I tried adding custom DNS entry also to WAN interface, but the only thing that does is a leak through the tunnel. DNS goes over the tunnel and sometimes reaches WAN server at the end.
  • I tried a bunch of other things (trying to set dns over dhcp, dns forwards etc.)

nothing worked :frowning:

I am probably not understanding something basic about how to conditionally forward dns from dnsmasq to different interfaces depending on the device initiating the request.

Could you please guide me as to what's the appropriate method to do this?

Thanks a lot guys!

For some background see my notes:

If you use PBR 1.1.7-10 you can use DNS policies but these are using the same mecahnism as DNS hijacking so that might interfere which each other.

Consider using DNS option 6 for those specific clients

Thanks for the pointer, I really enjoyed the read and ended up trying a bunch more things as a result.

My understanding is that DNS option 6 "asks the device" to use a different DNS, which is also in conflict with the rest of the setup: all DNS gets hijacked and forwarded by the router. Please tell me my understanding is wrong, I really want it to be!

I don't seem to understand how I can tell dnsmasq:

  • you somehow got a DNS request from device A (either by A addressing it to you or by the hijack forward)
  • if device A is in your VPN whitelist, forward it through interface X (the VPN client) at DNS server Y (and encrypt it)

If dnsmasq can't do that, can other SW do it? E.g. pihole or unbound. I don't want a local resolver, I just want the behavior described above.