VPN Dns with Openvpn and Dnsmasq

Hi there

I have a Linksys router running the latest davidc502 build although I don't know that this question is specific to that build.

I have openvpn configured to bring up a private internet access vpn on startup. They have recently switched to using DNS over the vpn that is provided form a 10. address only available when the vpn is up.

All the devices connected to the router query the dnsmasq instance on it. I was wondering how to configure dnsmasq to query the vpn dns when the vpn is brought up successfully and then switch back to the dns configured in the WAN interface when it comes down.

1 Like



Thanks I missed that :slight_smile:

1 Like

Hi there, so I implemented this successfully and DNS switches between the private dns when the vpn is up and a list of dns servers I specified in the wan interface when it is down.

I then followed these instructions to set up dnssec

What I found was that dns worked with the vpn up including dnssec. However when i took the vpn down I no longer had dns resolution.

I tried chaining this line in /etc/openvpn/client.sh

(down) uci revert dhcp ;;


(down) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf"

This didn't seem to work although this file exists and has the correct non vpn dns servers in it.

So I reset everything so I have the original setup, configured openvpn as you suggested as above in the linked instructions and then did a bit of further investigation.

When the vpn comes down I see this in the log

Wed Nov 25 12:44:15 2020 daemon.info dnsmasq[7851]: using nameserver <private vpn nameserver 1>#53
Wed Nov 25 12:44:15 2020 daemon.info dnsmasq[7851]: using nameserver <private vpn nameserver 2>#53

If i then try to do an nslookup from the router it fails with:

*** Can't find domain.name.com: No answer

However if i look up domain.name.com from a machine on the lan then it finds it and the dns resolves on the router.

So something very odd is occuring.

The default option resolvfile depends on OpenWrt version:

Ok, yes mine is the snapshot. I've changed the (down) case to use resolv.conf.auto and it works. I'll try the dnssec thing again later this week and see what happens.

Couple of notes.

I think the issue with dnssec appearing to still be using my vpn dns when the dns was down was just a logging artifact. It spools out the correct dns servers to the log a little later on.

The DNS resolution on the router vs the dns on the lan is odd. Some names resolve on the router some don't. It all works fine on the lan and the lan is definately using the router so I don't get that. It may account for an issue I've had for some time where sometimes the vpn fails because the names don't resolve. I just use IP's now and it's fine.

1 Like

There are multiple reasons for this including client and server DHCP configs, DHCP lease status, DNS records, plain name expansion parameters, domain search list, etc.

At the same time, LAN clients may use NetBIOS/LLMNR/mDNS/etc.

1 Like

Ok not sure where to start with that. The default dns servers are configured in the wan interface via the UI or via the client up script.

There's nothing on the LAN other then the router & a linux desktop :slight_smile:

If you want reliable name resolution, use persistent hostnames:

1 Like

Ah sorry my fault I wasn't clear about my problem. I wasn't talking about resolving names of devices on my lan.

What I meant was that if i do an nslookup of public dns record like www.redhat.com then it works from machines connected to the lan but I get mixed results from the router. However some domains work and some don't it's very odd.

1 Like

It's best to open a new thread as this sounds like a different issue.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.