Automatic DNS prioritization?

Hi, I have a Slate Plus being used in repeater mode, connecting to a WireGuard network. The wireguard configuration specifies a DNS server.

In the DNS settings, I am set to “Automatic”, and I see both “DNS From Repeater” and “DNS from WireGuard” entries, but it seems to only query the DNS from Repeater, and queries are never sent to the WireGuard-specified DNS server.

Is there some way to change the prioritization here? Query the WireGuard DNS server first, and then the Repeater DNS? I don’t want to set my DNS servers manually every time I connect and disconnect from my VPN!


VPN DNS is always preferred, you can see the DNS currently in use from the system log (we will do some optimization on the DNS page later).

If you still can’t confirm, choose to Manuall DNS and enter the DNS address in the VPN configuration file in the input field.


See “using name server”, which is what’s coming from the upstream provider.
At this point, it doesn’t even show up in the DNS settings!
(image coming next post because I can only post one.)

Magic? bug?

Please provide your firmware version.
Also, can you share your wireguard configuration? You can hide the key in the configuration file, but keep the DNS related configuration.

  • Version 4.1.2
  • Firmware Type release3
  • Compile Time 2022-12-27 15:09:12(UTC+08:00)

and the wireguard conf:

Address =
ListenPort = 51820
PrivateKey = secretkeyhahanosorryinternetses

AllowedIPs =,,,,,
Endpoint =
PersistentKeepalive = 25
PublicKey = notsecret+butstillnotgoingtoshare=

Ok, let’s do some test first and get back to you.


My test shows WireGuard-specified DNS server is always used.
You can confirm by capture dns traffic. it’s normal if it goes by wgclient interface.

opkg update
opkg install tcpdump
tcpdump -i wgclient -s0 -n port 53

It isn’t used - run the provided tcpdump command and no queries are logged.

Change the interface to eth2, the upstream interface, and lots of DNS queries going outbound.

I can confirm precisely the same issue on MT3000 with firmware 4.2.1.

I can also confirm on Slate Plus and Beryl as well. Unless it’s manually specified, and even then there are dns leaks.

What is your method of testing? I usually use dnsleaktest for testing

I connected wireguard on version 4.2.1, and then tested it using the dnsleaktest website. The router always used the DNS in the wireguard configuration file. I also tested it after the router restarted, and tried to change the DNS configuration repeatedly, always with the same results.

1 Like

My Wireguard server is my own, at home - when in ‘road warrior’ mode, simple nslookup tests fail to resolve names defined on the other end of my VPN tunnel.