Split DNS (not "split tunnel")?

Is it possible with the GLi firmware to send DNS lookups for a given domain (e.g. *.example.vwan) to a given DNS server, and handle all other DNS lookups as normal?

This is not the same thing as defining e.g. Addresses = /.example.vwan/192.168.8.25 in Luci > DHCP and DNS > General. I am looking to forward the actual DNS queries for *.example.vwan to a local DNS server on my network.

If this IS possible, either thru the GLi interface directly or thru Luci: how is it affected by using Encrypted DNS, or by using a VPN?

  • Is this possible while using Encrypted DNS? Or must DNS mode be set to Automatic for this to work?
  • Is this possible while using a VPN (for all internet traffic, i.e. 0.0.0.0/0?

Initial success without any sort of Encrypted DNS enabled:

  1. In the GLi firmware, switch DNS to Manual DNS mode.

    • Use a DNS provider of choice, such as Cloudflare or Quad9.
    • Add the IP of the DNS server in question on your local network, e.g. 192.168.8.25

In this case, lookups to the desired domain (*.example.vwan) succeed, and lookups to everything else succeed, and no feathers seem to be ruffled, even though the local server won't know anything about most of the non-local queries it receives (it's an instance of dnsmasq set up to only return local results, no forwarding/recursive lookup).

This worked, after my failure at trying /example.vwan/192.168.8.25 and /vwan/192.168.8.25 in the exact same DNS Forwardings (Luci) / Manual DNS (GLi) field. Neither of these did what I believe it was supposed to do.

Edit: I can't get this working stably however, not sure why, although I may factory reset and try again.

You could make a local domain but without encrypting DNS.


Then type manual hostnames like 192.168.8.1 = router.lan

1 Like

My problem when I was messing with this yesterday was that I tried the Addresses method (the lower circle on your screenshot) which didn't work, and I also tried DNS Forwardings, and that worked briefly and then stopped and I'm not sure why.

I haven't yet tried setting up a Local Server because I'm not trying to serve DNS for my LAN. I realize that sounds weird, but this is for a separate private domain on my LAN, I'm building a private proxy host with name-based virtual hosting (think nginx or Caddy's ability to serve websites for many domains on a single host). So, ideally I want to forward queries for *.example.vwan to a DNS server running on the proxy host.

Anyway, I'm going to keep trying, guess we'll see what happens.

Edit: After a factory reset, I put the device in Manual DNS mode, with the address of the proxy host in DNS Server 1 field, and a generic provider in the DNS Server 2 field.

DNS is now resolving properly for the private domain, and it survived a reboot this time. I will use this config a while, see if it is fragile, and report back.

Edit 2: this mysteriously stops working after a minute or two of working properly!! What on earth?

Edit 3: from an explanation of Luci > Network > DHCP and DNS > Advanced Settings > All Servers:

By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this parameter forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requeser.

So ... I probably can't just add in the proxy host's DNS server (which only replies affirmatively for things it knows about, not other stuff on the internet as well) and expect things to Just Work, whether they work or not would be non-deterministic in this scenario.

I'm going to use this post to collect my knowledge about how GL.iNet's DNS layer works in re: how it relates to Luci / underlying OpenWRT.

Note: everything was tested with an VPN enabled for all traffic, and Allow Custom DNS to Override VPN DNS turned on.

Settings Equivalents

GLi Setting Luci Setting (may be incomplete)
DNS Rebinding Attack Protection Network > DHCP and DNS > General > Rebind Protection
Allow Custom DNS to Override VPN DNS ??

DNS Mode: Automatic

TBD

DNS Mode: Manual

The GLi UI in Manual mode offers up to 4 text fields for users to input DNS servers.

It appears these fields are directly placed in Luci's DNS Forwardings field.

Other settings: TBD

DNS Mode: Encrypted DNS

The GLi UI in Encrypted DNS mode offers a choice of Encryption Type and DNS Provider. I tested each one with a random provider from the list, or 9.9.9.9.

DNS over HTTPS

Luci's DNS Forwardings field is set to 127.0.0.1#5453. Other settings TBD.

DNS over TLS

Luci's DNS Forwardings field is set to 127.0.0.1#5453. Other settings TBD.

DNSCrypt-Proxy

Luci's DNS Forwardings field is set to 127.0.0.1#5453. Other settings TBD.

DNS Mode: DNS Proxy

The GLi UI in Manual mode offers up to 1 text field for users to input a DNS proxy server address.

It appears this field is directly placed in Luci's DNS Forwardings field.

Other settings: TBD

Have you tried Adguard DNS rewrite + reverse proxy somewhere (mini server such Raspberry Pi 4 or Nuc)?
https://www.reddit.com/r/Adguard/comments/c2hl0z/adguard_home_for_local_dns/?rdt=46921

1 Like

I was thinking about doing this, but I got it working another way.

As a reminder, I'm using an always-on VPN on the router, so these settings are with that in mind.

The settings

GLi settings

Network > DNS > DNS Rebinding Attack Protection must be off.

Network > DNS > Allow Custom DNS to Override VPN DNS is on.

I used Mode Encrypted DNS, Type DNS over TLS, provider Cloudflare.

Luci settings

After confirming the settings in the GLi interface:

Network > DHCP and DNS > General > DNS Forwardings, I added an additional forwarding to the one GLi puts there in Encrypted DNS mode. My forwarding has the text /example.vwan/1xx.2x.1xx.xx (the IP of the proxy host, which is running a DNS server which answers for example.vwan).

Hit Save and Apply. These changes should continue to work after further reboots.

2 Likes