Using Wireguard Server DNS occassionally

I use the Wireguard VPN to my home LAN occassionally to access one of the servers. Unfortunately I did not manage to get the server side DNS resolve server side host names.

I learned that the server side DNS I defined in the interface section of the wireguard client definition will be written on top of the (5) DNS IPs in on the client router. Unfortunately the DNS servers listed will be used in a non predictable manner. So a DNS request of e.g. "mynasmachine" leads to a NXDOMAIN instantly.

Is there any way to use the server side DNS as long as the VPN tunnel is up?

I am not sure what you mean.
Local DNS resolution is just done by DNSMasq, in order to do so your clients whether LAN or WG clients should have the routers address as DNS server.

For WG clients set the DNS server in the client config file on the client.

The list dns 'XXX' you set on the interfaces are the upstream DNS servers DNSmasq is using and have nothing to do with local DNS resolving.
As you noted all list dns 'XXX' you set on interfaces end up in the same resolv file so it is not very useful to set dns on different interfaces

1 Like

Thank you so much for the clarification.

Using an OpenWRT router on both sides, the goal is quite simple. As long as the WG tunnel is up, the client side router (and the clients) should use only the DNS server located in the home LAN on the WG server side. As soon as the tunnel is down, the client side router should use the DNS provided by the ISP.

This is why I put the IP of the DNS in the home LAN into the interface section on the WG client side. Setting a custom DNS on the WG client side is not a good approach in my opinion, because the server side DNS is not reachable as soon as the tunnel goes down.

So do you have an idea, how I can achieve my goal with a clean and simple setup?

Yes that is possible, on the client side you use a script to use the DNS server set on the WG interface as only DNS server when the tunnel is up.

See for an example:

For some background:

1 Like

This links helped me a lot. I found the following solution: Setting the DNS IP on the interface section on the WG client router writes this IP into on the first place as soon and as long the WG-VPN is up, even without setting any metric. Then setting the strict-order flag leads exactly to the situation I wanted to achieve.

All DNS requests go to the server on the home LAN and even the name resolution for hosts in the home LAN works flawless.

Thank you.

Strict order is highly unreliable but if it works for you that is :+1:

1 Like

That is true. I have had that issue one time, after playing around a lot in the settings. But after a reboot, things went fine again. Perhaps that is a cache issue. I will check that regularly and dive in, if necessary.