How to Configure DNS (OpenDNS etc) and remove your ISPs DNS

THE SHORT ANSWER
Network => Interfaces => WAN => EDIT => Common Configurations => Advanced Settings
Use DNS servers advertised by peer    Uncheck
Use Custom DNS Servers                  [Add your DNS servers here]
Save and Apply
Reboot

THE LONG STORY
I realized yesterday after reading this post that I did not have my DNS servers configured as I wanted, but still not clear on how to do this.  https://forum.openwrt.org/viewtopic.php?id=60477

In Luci Status => Overview Network => IPV4 WAN Status I have 4 entries, and I only want the first 2. 

DNS 1: 209.244.0.3
DNS 2: 209.244.0.4
DNS 3: 208.59.247.45
DNS 4: 208.59.247.46

I now know the following:
Network => Interfaces =>LAN =>EDIT => Common Configurations => Use Custom DNS Servers adds an entry to the /tmp/resolve.conf.auto file, which I believe is called by the /etc/config/dhcp file, in the config dnsmasq section:  option resolvfile '/tmp/resolv.conf.auto'.  The entry looks like

# Interface lan
nameserver 209.244.0.3
nameserver 209.244.0.4

I can add a section to the /etc/config/network file for the interface lan or wan as follows:

option dns '209.244.0.3 209.244.0.4'

and this is added to the resolve.conf.auto file.

There is a section in the resolve.conf.auto file that is for my ISP (RCN) as follows.

nameserver 208.59.247.45    
nameserver 208.59.247.46
search cable.rcn.com

These are my ISP DNS servers, which I do not wish to use.  I deleted them from the file, but they returned after a reboot.

Eventually I came across this post https://forum.openwrt.org/viewtopic.php … 28#p181228

This check box controls the availability of the “Use Custom DNS servers” on the WAN side.  It also adds a line to the config “    option peerdns '0' “ which appears to be the key in ignoring the ISPs DNS settings in the resolve.conf.auto file. 

QUESTIONS

I have learned that I can set a DSN on the LAN side.  What does this do, if anything?  Do I want this?

Where does DNSMASQ actually stores its data (cache), and how do I view this?

Public DNS Servers
http://pcsupport.about.com/od/tipstrick … ervers.htm
http://www.getdriver.com/how-to/2498/fr … ience.html

(Last edited by RangerZ on 25 Oct 2015, 00:26)

I don't think putting it in the lan config of /etc/config/network will do anything.

The clients on your network don't query the DNS servers you set up in the "wan" config directly.  When they request an IP via DHCP they are also supplied a list of name servers but, by default, this list of name servers only points to the router (you can have dnsmasq return a list of external DNS servers instead of itself during DHCP responses, but that will break name resolution of hosts on the local network).

The computer sends a DNS request to the router and then dnsmasq on the router uses its own list of nameservers (the ones you defined in /etc/config/network or the peer DNS sent by your ISP) from /tmp/resolv.conf.auto to make the request and return the answer to you.

When you restart dnsmasq OpenWrt builds a dnsmasq.conf file from the config data in /etc/config/dhcp.  This rebuilt file is in /tmp/etc/dnsmasq.conf. 

I don't know where dnsmasq actually caches returned DNS queries.

dnsmasq is an extremely powerful tool that is often over-looked.  On my own network i have it doing DHCP for multiple subnets each with their own subdomain, DNS-SD to advertise services, CNAMEs for local machines, Google DNS for most domains but OpenNIC for their custom TLDs, and Ad-blocking at the DNS-Level.

Thank you for the reply

So if I understand, this is basically why I see my routers IP on the clients (DNS Servers) when I do an ipconfig /all.  It's relaying to the WAN side DNS config.

The real problem, and point of the post was to share the problems I encountered trying to get the right config into the /tmp/resolv.conf.auto.  One post I saw on DNSCrypt said to disable the line pointing to the file (can be done in Luci) but this still seem to be processed. (DHCP and DNS => Resolv and Hosts File => Ignore Resolve File checkbox for those interested)

Reading the article you referenced, it talks about the DNSMASQ.CONF file, but mine is empty.  All the related config is in DHCP and NETWORK.  I even added some servers to the DNSMASQ.CONF file, but they did not make their way into the resolv.conf.auto.  Not sure what is a bug or just lack of understanding/docu.  It seems DNSMASQ should be configured through this file.

The article also references the \etc\hosts file.  I am running an OpenVPN server on this device, and having issues with the clients not reliably browsing the Windows Network.  I can get to any device by IP, and generally I know the few I need, but I would rather browse.  Can I take advantage of this file (toolset) to help with this issue?

Yes, dnsmasq sits in between.

As you discovered, the /tmp/resolv.conf.auto file is generated by the settings for your "wan" interface in /etc/config/network.

If you don't define any dns servers it will use the ones supplied by your ISP.  If you define some, like so

    option dns '8.8.8.8 8.8.4.4'

then it will use the name servers you defined and the ones supplied by your ISP.

Adding

    option peerdns '0'

will make it use only your defined name servers, ignoring your ISP supplied DNS.

If you have IPv6 connectivity your "wan6" interface can also have its own IPv6 DNS servers set in a similar manner.

    option dns '2001:4860:4860::8888 2001:4860:4860::8844'
    option peerdns '0'

(all these servers in my example are for Google's Public DNS).

I've never used DNSCrypt but the page seems fairly simple.

OpenWrt regenerates its own dnsmasq.conf file (stored as /tmp/etc/dnsmasq.conf) from the settings in /etc/config/dhcp.  /etc/dnsmasq.conf can be used for additional configuration, but /tmp/etc/dnsmasq.conf is used first.  Just use the "wan" interface as above for your DNS servers.

Windows Network Browsing doesn't use standard DNS, but the weird-ass Netbios so this won't help with that, but because dnsmasq is doing your DHCP you should be able to access machines by the name they register (either the raw name, or name.domain where .domain is what you set in /etc/config/dhcp).

A few days ago i came across this post http://www.techrepublic.com/blog/linux- … -services/  it helped me a bit to get started.  I have subscribed to this topic. I hope to learn more about dnsmasq too.

the manpage is HUGE http://www.thekelleys.org.uk/dnsmasq/do … q-man.html
but it's not clear how to use all that info.

Does anyone know if there is an official manual? (other then the manpage)

Maybe this can also be used in the documentation:
https://www.linux.com/learn/tutorials/5 … e-services

By default dnsmasq will take the hostname your client computer gives it during the DHCP process and then add the domain name you defined in /etc/config/dhcp, allowing any other machine on the network to access the client by name.

If the client doesn't give dnsmasq its own name or you want to give it a different name it's possible.  Here's a snippet of my /etc/config/dhcp to illustrate:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option local '/lan.example.org/'
        option domain 'lan.example.org'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option start '201'
        option limit '50'
        option ra_management '1'

config host
        option name 'orange'
        option mac 'b6:fc:6d:51:bf:4f'
        option ip '192.168.0.51'

config host
        option name 'orange'
        option mac '9a:07:f1:ba:53:cc'
        option ip '192.168.0.52'

In the example above the machine called 'orange' has two entries, with different MAC addresses and reserved IPs (one for wifi and one for ethernet).  Connect the machine to the network and it gets the relevant IP for the interface and becomes accessible to other machines on the network as orange.lan.example.org.  If both wifi and ethernet are connected at the same time then orange.lan.example.org goes to which ever interface connected most recently.

Because dnsmasq only adds an entry to the DNS when a DHCP lease is created and you might reboot your router between lease renewals it's best to make sure that any servers on your network are always resolvable.  You can set these in /etc/hosts or use "config domain" (which OpenWrt uses to generate its own /tmp/hosts/dhcp in the same format as /etc/hosts and dnsmasq uses first):

/etc/config/dhcp

config host
        option name 'files'
        option mac '06:4a:e5:63:cb:14'
        option ip '192.168.0.10'

config domain
        option name 'files'
        option ip '192.168.0.10'

Now files.lan.example.org will always resolve.

Say we're designing a new version of the website www.example.com, so we install a webserver onto our files.lan.example.org machine and redirect www.example.com to it for just people on our network to test out the new design.

/etc/config/dhcp

config cname
        option cname 'www.example.com'
        option target 'files.lan.example.org'

All this won't help the OP with his Windows Network Browsing problem, but it should let him address machines by a known or defined name instead of having to remember IPs.  Running a WINS server and announcing it via DHCP

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option start '201'
        option limit '50'
        option ra_management '1'
# The following announces the IP address of your WINS server.
# Adjust to match server's IP
        list dhcp_option '44,192.168.0.10'

might help with Windows Network Browser but Windows is something i've successfully avoided using for the past 15 years so can't say for sure.

(Last edited by Middling on 26 Oct 2015, 15:20)

@Middling, I would like to thank you for taking the time to write a detailed and comprehensive response to this post. 

I understand much, but not all of this.  I will do some testing and more reading. 

My option local and option domain is the default "lan".  I assume I can just use the [device].lan.  I will test this next time I am on the road.

What I was really hoping to accomplish is to be able to use the file browser and just "click" my way through the network shares, so while the above is easier than remembering the IP, it still relies on recall.  I guess this is more Samba related, but it's a nice to have.  I can just create a short cut to the IP to address this.

thanks midding for the educational post.

@RangerZ
For WINS / NETBIOS you need Samba
http://wiki.openwrt.org/doc/howto/cifs.server?s[]=wins

Yeah, [device].lan by default.  You can set it to whatever you want and i usually prefer to use something within a domain i own.

If you're running Samba somewhere on your network it's really easy to get it working as a WINS server.  Simply add

wins support = yes

to your Samba config and restart it.

Then add the dhcp_option listed in my earlier post to your OpenWrt's /etc/config/dhcp file and restart dnsmasq.

The next time your local Windows machines connect and do a DHCP request they will be informed there's a WINS server on the network and register their names with it.

I suspect that your network browsing problem is with your OpenVPN config, especially if machines connected to your VPN are on a different subnet.  From this thread it looks like adding

push "dhcp-option WINS 192.168.0.10"

to your OpenVPN server.conf file will supply the WINS server address to VPN-connected clients.  They should then register their addresses with the WINS server and all Windows machines, local and VPN, should query the WINS server for details of Network Browsable machines.

I am not totally following the WINS server. 

Do I need to install any software to perform this or is it part of samba (already installed)?

# The following announces the IP address of your WINS server.
# Adjust to match server's IP
        list dhcp_option '44,192.168.0.10'

Is this IP my routers LAN IP (192.168.111.1)?  If not where do I get it?

It's part of Samba, just not enabled by default.  In your smb.conf file, under the [global] section add

wins support = yes

to enable it.

Some places online suggest you want a few extra options to ensure Windows XP and later register with the WINS server.

wins support = Yes
os level = 99
domain master = yes
preferred master = yes

If you're using FreeNAS instead of running Samba on a server directly the above goes in the "Auxiliary parameters" box in your "CIFS Settings".

It's the IP of your Samba server.

So going back through the above, I think I want to make the following changes:

smb.conf.template (per Samba wiki)
[global] 
    wins support = Yes
    os level = 99
    domain master = yes
    preferred master = yes

dhcp.conf
config dhcp 'lan'
    # The following announces the IP address of your WINS server.
    # Adjust to match server's IP
    list dhcp_option '44,192.168.111.1'

OpenVPN Server Config
    push "dhcp-option WINS 192.168.111.1"

For the follow on-readers, the 'list dhcp-option" is noted here:
http://wiki.openwrt.org/doc/howto/cifs.server which uses the 44
http://wiki.openwrt.org/doc/uci/dhcp#dh … lt_gateway which explains DHCP parameters and some other examples
http://www.networksorcery.com/enp/proto … ptions.htm and here which lists possible values for the list dhcp_options.  44 is "NetBIOS over TCP/IP name server", which now seems obvious.

Reading up on the OS level values here I see you are recommending the value be moved from its current value of 20 to 99, which makes it the highest priority on the LAN (to the best of my knowledge). I have every device on my LAN configured with a static IP on this device, so I can always properly see the host name.  I do have a Synology NAS, and not sure it it is relevant. So, this would move the basic function of browsing control from the individual machine to the routers new WINS server.  Please correct my semantics.

Looking at your DHCP snippet above, I see you do not have the line

    option readethers '1'

which I think is the default.  Any relevant reason?  I see my \etc\ethers is empty, so I guess it's ignored.  I do see all my static IPs in the /tmp/etc/dnsmasq.conf

Looks good.  Theoretically this should work, but i've just spent a few hours unsuccessfully trying to get network browsing working across subnets.

The WINS server seems to work fine and, thanks to the DHCP option, clients in both subnets register their names with it.  Once i modified the Windows firewall i was able to access machines in the other subnet using \\machine-name but they still didn't populate the Network view.

I suspect it may be due to Master Browser Elections.  For some reason as soon as a Windows machine came up in the same subnet as the Samba server it would start an election to become the network's master browser, and Samba would lose EVERY SINGLE TIME.  I even tried upping the "os level" to 255, but Samba still lost.

I'm stuck, and the whole thing just served to remind me how much i dislike trying to do anything on Windows. ^_^

You might be better served asking on the Samba mailing list.  Sorry i couldn't help solve this one.

It's probably running a version of Samba too, so it might be worth seeing if WINS can be enabled on that and save yourself having to run it on the router.

At one point i did configure some things in /etc/ethers but IIRC it wasn't included in the configuration backup and i got bit when i wiped the router and attempted to reload my config.  These days i configure most dnsmasq stuff in /etc/config/dhcp with a handful of extra /etc/dnsmasq.conf.whatever files for extras.

Thanks for all your help.  I will proceed with caution.

Success!

I switched from using the Samba server on my FreeNAS to the package for OpenWrt.  I don't know if it's a bug in Samba 4.x that causes it to lose the browser election process or what, but the Samba 3.6.x package for OpenWrt does win if configured correctly.

Here's a howto:

Install the Samba server on your OpenWrt:

opkg update
opkg install samba36-server

Edit /etc/config/samba

config samba
    option 'name'            'OpenWrt'
    option 'workgroup'        'WORKGROUP'
    option 'description'        'WINS server'
# Not doing any file sharing on this Samba server so disable homes.
    option 'homes'            '0'
# Make sure all the interfaces you want are listed.  I have wired, 2.4GHz wifi, and
# 5GHz wifi on different subnets and i'm excluding my guest wifi.  Also include the
# loopback interface.
    option interface 'lo lan wifi5_priv wifi_priv'

Edit /etc/samba/smb.conf.template to enable WINS and up the os level.

[global]
    netbios name = |NAME| 
    display charset = |CHARSET|
    interfaces = |INTERFACES|
    server string = |DESCRIPTION|
    unix charset = |CHARSET|
    workgroup = |WORKGROUP|
# This server just does WINS and local/domain master browser duties
# so it doesn't need to appear in network browse lists.
    browseable = no
    deadtime = 30
    domain master = yes
    encrypt passwords = true
    enable core files = no
    guest account = nobody
    guest ok = yes
    invalid users = root
    local master = yes
    load printers = no
    map to guest = Bad User
    max protocol = SMB2
    min receivefile size = 16384
    null passwords = yes
    obey pam restrictions = yes
# Increase the "os level" so this server always wins local master elections
    os level = 255
    passdb backend = smbpasswd
    preferred master = yes
    printable = no
    security = user
    smb encrypt = disabled
    smb passwd file = /etc/samba/smbpasswd
    socket options = TCP_NODELAY IPTOS_LOWDELAY
    syslog = 2
    use sendfile = yes
    writeable = yes
# Add the following two lines to enable WINS and name resolution
    wins support = yes    
    name resolve order = wins lmhosts hosts bcast

Restart Samba

/etc/init.d/samba restart

Edit your /etc/config/dhcp and make sure you're sending your router's lan IP as the WINS server:

config dhcp 'lan'
    # The following announces the IP address of your WINS server.
    # Adjust to match server's IP
    list dhcp_option '44,192.168.111.1'

Do the same for your OpenVPN config.

Restart dnsmasq and OpenVPN.

Reconnect a machine to the network so it does another DHCP request.

All your machines, from multiple subnets, should now appear in the Network section of Explorer.

I tested this across multiple subnets using Windows 7 VMs, an old Windows Vista laptop and Linux.  All seems to be working fine.

Thanks again for the followup. 

I am only running a single subnet.  How can I test that Samba is in control over Windows?

Open a command prompt on Windows and run

nbtstat -a netbiosname-of-router

If the response contains a line beginning

..__MSBROWSE__.

then it's the local master browser.

I have done no new config as yet and get the following.  What is this telling me?

GB CT Adapter:
Node IpAddress: [192.168.111.53] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    OPENWRT        <00>  UNIQUE      Registered
    OPENWRT        <03>  UNIQUE      Registered
    OPENWRT        <20>  UNIQUE      Registered
    WORKGROUP      <1B>  UNIQUE      Registered
    WORKGROUP      <1E>  GROUP       Registered
    WORKGROUP      <00>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00

Create a new file /etc/resolv.conf.opendns with the following content (OpenDNS)

nameserver 208.67.222.222
nameserver 208.67.220.220

Change option resolvfile '/tmp/resolv.conf.auto' to option resolvfile '/tmp/resolv.conf.opendns' in /etc/config/dhcp.   

Reboot the router.

Your local machine names should still work since it's just changing the upstream DNS to OpenDNS.

(Last edited by wzhang on 27 Oct 2015, 18:25)

I think it's just saying that OpenWrt exists as a NetBIOS host on the network and can be accessed at \\OpenWrt.

I guess as I had not configured anything I expected to see the MSBROWSE in the nbtstat response.

I have had some business come up and will probably not get back to this for a few days or more.

Thanks again!

@wzhang, I had not tried a new file, but the /tmp/resolv.conf.auto kept inheriting the DNS from my ISP after each reboot.  The secret was to disable the Use DNS servers advertised by peer check box, and then I could edit the DNS entries directly in LuCi. 

I am using the L3 DNS servers, as some reading I did led me to believe they are fastest.