VLANS and One (1) DNS server

I have been testing vlans with openwrt and constantly resetting things to "firstboot" to ensure that I have my process steps correct when making changes.

I have managed to figure out and get vlans working. Currently I have a test network that consists of 3 vlans (lan, guest, iot) which are passed along successfully to a wap which also passes the vlans to the wifi networks.

DHCP works for all 3 vlans in that I can connect to each vlan and get a corresponding ip address for that subnet.

I also have a single pihole server that is the dns for all 3 vlans. However, I had to create 3 separate interfaces on the pihole server to connect to each vlan to serve dns via the dhcp option 6. This resulted in 3 different ip addresses for the pihole just to serve dns for all vlans.

How do I go about getting all vlans to use one (1) ip address as their dns server without requiring the dns server to live on all 3 vlans.

The closest I have gotten so far is using a firewall rule that allows traffic from the vlan to the dns specific ip address but from there it doesn't reach the internet. If I have the pihole dns on each vlan with its own vlan ip address and dhcp option 6 then the vlans can reach the internet.

I hope I was clear enough on my question. Thank you for your time.

I looked into this because it is of interest to me but I have not done it yet on OpenWrt. The enterprise routers and multi-layer switches that I worked on professionally usually had a simple command or two for this.

Searching this forum, it looks like it is straight forward using dnsmasq which is part of the standard builds on most OpenWrt router/firewall images. Switch the dnsmasq config for each interface desired from servering/ignoring to "relay"

See:

...but it may be good to read the other sections as well.

Other threads on this forum indicate that you need to have dnsmasq enabled for the network interface where the DHCP clients are but configured to relay rather than serve DHCP.

Restart dnsmasq to put changes into effect.

Good luck and consider marking this thread solved once you get a working solution.

  1. Configure your clients in all vlans to use the OWRT router as their DNS server.
  2. Redirect all requests for port 53 to your pihole server.

@Barney My understanding on that option is that the visibility of clients listed in the pihole log is lost since all queries to the pihole will appear as being from the router and not from the clients. Or do I have that wrong?

I'm using AdGuardHome as central DNS server for all my VLANS (instead of pihole). In the AdGuardHome logs/stats appear the clients IP addresses.

AFAIK this happens, when you do not redirect the DNS queries, but your router uses pihole as DNS server.

I figured it out without having to redirect port 53.

It was my L3 switch not routing correctly. Now my pihole has one interface on the main subnet but the other subnets are routed correctly to the pihole on a single IP address. Subnet isolation still exists and now I can see hostname and IP address queries instead of just the queries coming from openwrt.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.