Hello all, got a flint 2, my first non ISP provided router and most things have been easy enough to figure out on my own, but i’m having an issue with split tunneled apps ignoring adguard and resolving to cloudflare and google dns, i’ve been using firefox within vpn and waterfox outside vpn for consistent testing. I’ve had the router a grand total of 20 hours, so apologies if I forget to include anything pertinent. **
Setup:**
-
Client: Debian with KDE plasma
-
Router: GL.iNet Flint 2 (OpenWrt), AdGuard Home enabled
-
AdGuard upstreams: Mullvad DoH + Quad9 DoH
-
Router DNS settings:
-
Override DNS settings for ALL clients -
Allow custom DNS to override VPN DNS
-
-
VPN: Proton VPN GUI (Linux), split tunneling enabled
-
Firefox (in tunnel) → correctly shows Quad9/Mullvad
-
Waterfox (excluded from tunnel) → shows Cloudflare/Google DNS on leak tests
-
-
Waterfox Settings:
- DNS over HTTPS - Off
- Network settings - Proxy - Off
- network.trr.mode = 5
- network.trr.custom_uri = ““
- network.trr.default_provider_uri = ““
- network.dns.native_https_query = false
- network.dns.echconfig.enabled = false
- captivedetect.canonicalURL = ""
-
Test results:
- tcpdump -u any -n port 53 showed queries from 192.168.8.101
- router logs show adguard home running on 3053
- Intermittent “unexpected EOF” errors from quad9 DoH upstream, but resolution works on all apps going through the VPN
-
Things i’ve tried
- changed trr and doh settings in waterfox, pointing towards my router, mullvad dns directly and leaving values emtpy
- checked tcpdump to see packets reaching router
- started waterfox in safe mode to ensure no extensions are interfering
If there’s anything obvious going over my head or any suggestions i’m all ears, thank you