[Beryl AX3000] Custom WAN/WWAN DNS settings

Hello.

I need to set up custom DNS settings for the router itself to use. In mainline OpenWrt I do so by just setting DNS servers on a WAN interface.

I can't fins the correct way to do than in the Beryl AX3000 custom UI. I.e. the DNS settings that the router uses are just pulled in from the upstream router via DHCP and cannot be overridden:

Of course, I can change that setting in LuCi:

But the things is that whatever changes I made and save there do not survive a reboot - i.e. once the router is rebooted, the changed get reverted and the old settings get restored:

Can you please jelp me figure out how I can override that settings and have it persisted in a way that would keep it across reboots?

Thanks.

Inside the settings (in GL GUI) Network > DNS should be everything you need.
See DNS - GL.iNet Router Docs 4

Thank you for the prompt reply. But since I have AGH enabled, my Network -> DNS section looks like this:

So I just do not see a place where I could manually set my DNS for the router to use.

In that case the router itself will use AGH as well.

Yes, I know that )
But I don't want it to. I specifically want my router to use DNS that I put in the settings manually. And there is a reason I want it to be different from what the clients of the router will use (the AGH, supplied via option 6 in LAN DHCP settings).

In vanilla openWRT this is easy to achieve - I just need to uncheck the checkbox I shown in the screenshot. But when doing that in beryl AX3000, my settings get reverted after a reboot. I do not want that. I want it to be the way I set it.

So I'm wondering if there is any way to tell the device to turn off its obnoxious smarts and keep the settings I entered.

1 Like

I don't even know if it's possible, to be honest.
Many features were built to be leak-proof - at least in my brain it sounds like your construct would break it, so I am not really sure if there is an option for that.

Since you already transmit AGH via DHCP option 6 - wouldn't it be more easy to exclude the AGH filtering for your router?

My issue is not about excluding something from AGH filtering. The reason is that my AX3000 router runs an XRAY tunnel (in client mode). And I route all DNS traffic from the entire network behind AX3000 to that tunnel. But the tunnel software itself uses DNS when (e.g. starting up, establishing a new connection, etc) - to resolve XRAY server's name to establish a connection with. For it to work, those DNS requests need to bypass the the tunnel (which is just being created) obviously..
The way I do that in vanilla openWRT - I set a dedicated DNS server for the router (e.g. 8.8.8.8) and set up special iptables rules not to route it to the tunnel.

But the AX3000 is playing smart with me and keeps reverting custom DNS settings done via LuCi.

Shouldn't Adguard Home: Select upstream DNS for specific client? - #6 by danbratu do the trick?

Thanks for the suggestion. But in my setup the full chain is DNSMASQ -> AGH -> UPSTREAM_DNS. So AGH in that case sees only one client - dnsmasq (i.e. 127.0.0.1). If I fully switched to AGH only and let it handle the ipsets, it could work I think.
Another option I'm considering is assigning a unique GID to AGH process and modifying my iptables rules a bit to route to the tunnel only DNS traffic coming from a process with that specific GID.

But before taking out big guns like that, I first wanted to explore a simpler option and figure out if there is a way to tell AX3000 not to be that stubborn :slight_smile:

Found a way to force custom DNS address in the XRAY config.
But the fact that AX3000 is so obnoxiously "helpful" still bums me out..

BTW, I'm already starting to regret spending money on that device.. As good as it sounds to be able to hook up to a public wifi and hide your devices behind this router, the software is still too raw imo.

I just spent several hours today trying to figure out quirks around DNS and XRAY - all my other openWrt devices are just working fine both as XRAY servers and as XRAY clients. But with AX3000 a server just refused certain TLS connections when SNI fragmentation was configured on the client (AX3000)..

At first I was blaming different openwrt version - AX3000 runs a custom fork of 21.02. And only after hours of picking around I stumbled upon a custom iptables chain named PORTAL_TTL. I don't know what exactly it is for there, but once I un-hooked that chain from the POSTROUNG, everything stared to work like a charm that same very moment..

Can anyone enlighten me on the following:

  1. What problem(s) is that rule supposed to help with? Use-cases?
  2. Is there any safe way to turn it off? (just dropping it from the POSTROUTING on a boot does seem more like a hack

Thank you.

1 Like

@bruce Can you help here?

1 Like

The chain PORTAL_TTL is designed for flow control of captive portal traffic based on the TTL value in the packet, and redirected to a portal page before access the internet.

Q2 is confirming.

1 Like

Just update the Q2:
will update these codes in v4.7.0, only when the repeater and camouflage enable, this PORTAL_TTL rule will take effect.

2 Likes

Awesome. Thanks for the update!

1 Like

@bruce, any plans to have a UI "knob" to set custom WAN/WWAN DNS and have it persisted across reboots? That's the other part of te original priblem described in the first posts:

Can you please jelp me figure out how I can override that settings and have it persisted in a way that would keep it across reboots?

Now that you have enabled ADH and want to config the custom DNS server, you can set this in ADH.

Because even if the DNS of the WAN/WWAN interface is changed/configured, the actual all clients DNS request traffic still goes through AGH and follow the AGH DNS.

Or if AGH is not enabled, you can configure it in GL GUI -> Network -> DNS

Not really. It's not about what clients will use, but the device itself. And since the device uses DNSs from WAN/WWAN, I want that setting to be persisted when I change it in LuCi.

Right now whatever changes I make get lost when I reboot the device - it always gets reset to "use upstream DNS". This is quite annoying as I know better what effect I want to achieve and I do not want the add-on "smarts" to be in the way.

1 Like

你可以这样在每次启动的时候,自动执行这些命令,以持久化DNS配置:

vi /etc/rc.local

Add these in the rc.local, the DNS IP you can custom:

uci add_list dhcp.wan.ra_flags='none'
uci del network.wan.force_link
uci set network.wan.peerdns='0'
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'

2 Likes

Thanks, that'll definitely cut it as a workround. Still, not sure I understand the reason for this behavior: the Gl-inet UI doesn't have this option plumbed through (WAN/WWAN DNS) and when when I make these specific changes in LuCi, they are reverted upon reboot.. Do you happen to know what the purpose is?