Using internal DNS while also serving guest network with dnsmasq

TL;DR: I need the router itself to use the DNS servers on the LAN, while also running a guest network which must not access the LAN. Where do I tell the router to do this in a persistent manner that won't get splatted on reboot?

Router is OpenWRT 23.05. An upstream router provides internet service - my router associates with it over wireless, but I otherwise have no control over it.

The LAN has its own DNS and DHCP servers, and so the router does not need to provide these to the LAN, but it does need to access resources inside the LAN, so needs to use the LAN DNS servers.

Router also serves a guest network, for which it does provide DNS and DHCP, but only to the extent needed to connect devices to upstream. Devices on the guest network must not be able to access the LAN - it is effectively just a workaround for poor signal to the upstream router.

Here's where I'm coming unstuck. In such circumstances, other answers suggest putting the LAN DNS in the "DNS and DHCP" configuration, but this is for dnsmasq, which is currently serving the guest network, which as I say must not use the LAN servers. The obvious place to put the DNS servers and search path would be in /etc/resolv.conf, but from reading other threads I see that this file gets rebuilt on every reboot, and so changes to that file don't persist.

How do I persistently tell the router itself to use the LAN DNS servers without exposing them to the guest network through dnsmasq? Alternatively, is there a better way I can achieve this?

Maybe this is what you are looking for:

Thanks, but without further explanation I don't think those are helpful. The first guide seems to want me to bridge the LAN to upstream, and the second wants me to set firewall rules allowing traffic to be forwarded from the guest network to the LAN. Both of those things seem like the exact opposite of what I'm trying to do, unless I'm misunderstanding something in there.

I'm not sure that in the case of the LAN the router is a dumb AP, since it's providing the upstream connection.

The guest zone was set to accept/accept/accept. Changing to reject/accept/reject and adding the two rules provided appears to have broken DNS. Queries are being sent to the router and timing out.

Also, I had added my local DNS servers to /etc/resolv.conf, and rebooted the router, and as expected those changes have not persisted.

Post the /etc/config/firewall.

Think I found that problem.

config rule
	option name 'Guest-DHCP'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest-DNS'
	option src 'guest'
	option dest '*'
	option dest_port '53'
	option target 'ACCEPT'

Could have sworn I left the destination blank, but fixing that rule has brought resolution back to the guest network.

Guest network is now working with upstream DNS as expected. All that remains is for the router itself to use LAN DNS for its own requests.

All that remains is for the router itself to use LAN DNS for its own requests.

Any solutions for this part?

Just to add some information on what I've actually tried in the past week:

I added a separate profile to dnsmasq, excluded loopback from the main cfg profile, and setup a second local profile to forward to my LAN servers. Now query results on the router work correctly, and query results from the guest network do not return private results, but when requesting local names to ensure the guest network isn't resolving them, I get the following in the log, which suggests that requests from the guest network might be being seen by the local profile that is only supposed to serve the router itself.

dnsmasq[1]: possible DNS-rebind attack detected

A description of that message states that it shows when a DNS response from upstream would provide a private address. I have checked my public DNS records for the domain I use, and it does at least point to only a public IP address, so while clients using the cfg profile are correctly getting a public IP address, this warning message suggests that the local profile is also being implicated here when it shouldn't be.

Why can't the guest network use the 'LAN' DNS servers? Either directly or by setting them as forwarders in dnsmasq?

That would mostly defeat the point of the guest network. Guests are not supposed to see anything of the other network the router is serving. When they issue a DNS request, they should get exactly the response the upstream ISP would have served (or close to that), unless they've chosen to use a different server. The internal DNS setup includes AD and local block/pass lists before being forwarded to the public DNS service of my choice.