Bashing Life

Contact

Donate

Setting up Quad9 as Default DNS in OpenWrt

by

bl-admin
in ,

✅ What Works Well (Best Practices)

1. Set Quad9 DNS in the WAN Interface (IPv4 & IPv6)

  • Go to Network → Interfaces → WAN (and WAN6) → Edit → Advanced Settings
  • Uncheck: Use DNS servers advertised by peer
  • In Use custom DNS servers, enter Quad9 IPs:
    • IPv4: 9.9.9.9 and 149.112.112.112
    • IPv6 (optional): 2620:fe::fe and 2620:fe::9

This ensures your router forwards DNS requests only to Quad9, preventing ISP DNS leakage.

2. Configure DHCP Option 6 in LAN Interface

  • Go to Network → Interfaces → LAN → Edit → DHCP Server → Advanced Settings
  • In DHCP Options, add the ip address of the bridge interface like this: 6,192.168.1.X

3. Leave LAN Custom DNS Servers Field Empty (also check if adding quad9 IPs works complementary)

  • This avoids clients bypassing the router and going directly to external DNS.
  • Ensures all DNS queries route through your router where you control/filter them.

4. Remove Extra DNS Forwardings (Unless Needed)

  • Go to Network → DHCP and DNS → DNS Forwardings
  • Remove any entries if you’ve already set Quad9 in WAN interface
  • Avoid redundant/conflicting DNS definitions

❌ What might be Redundant or Unnecessary

  • Setting Quad9 both in WAN custom DNS and DNS Forwardings — you only need one.
  • Setting custom DNS servers in LAN interface (clients get DNS from DHCP Option 6 pointing to router).
  • Leaving Use DNS servers advertised by peer checked in WAN/WAN6 — leads to ISP DNS inclusion.

⚠️ What Doesn’t Work Well or Causes Issues

  • Not disabling Use DNS servers advertised by peer — results in ISP DNS leaking into resolv.conf.
  • Adding other upstream DNS servers (e.g., ISP DNS) alongside Quad9 — causes inconsistent filtering and logging.
  • Forcing clients to use external DNS directly by setting LAN custom DNS — bypasses router’s DNS filtering and logging.
  • Not configuring IPv6 DNS properly in WAN6 if using IPv6.

🔄 How DNS Flow Works in This Setup

  1. Clients get 192.168.1.1 (your router) as DNS server via DHCP Option 6.
  2. Router runs dnsmasq listening on localhost and LAN IP.
  3. Router forwards DNS queries only to Quad9 servers set in WAN interface.
  4. No ISP DNS leakage, clean DNS logs, and effective filtering.

🔎 Testing & Verification

  • Use logread | grep dnsmasq to verify upstream servers.
  • Use nslookup or dig to test DNS resolution.
  • Run DNS leak tests from a client device (e.g., dnsleaktest.com).

The results from dnsleaktest.com does not correctly show that your device is using Quad9’s DNS servers (WoodyNet instead) 

This can be confusing because the test doesn’t explicitly name “Quad9.” Here’s why you see “WoodyNet” instead:

  • Quad9 is not a server owner. Quad9 is a non-profit organization that provides the DNS service. It doesn’t own the physical servers that handle the requests.
  • Packet Clearing House (PCH) is the server host. Quad9 partners with Packet Clearing House (PCH), a non-profit that manages internet exchange points and hosts the DNS servers for Quad9.
  • WoodyNet is the name for PCH’s network. “WoodyNet” is the network name (often called an ISP) associated with Packet Clearing House. The name comes from Bill Woodcock, the executive director of PCH. 

In short, your DNS query goes to Quad9, which uses the physical network infrastructure of PCH (WoodyNet) to route the traffic. 

How to be 100% sure

To confirm that your DNS traffic is passing through Quad9 and not just a different public DNS, you can use one of the other methods mentioned previously:

  1. Use the official Quad9 verification page: Go to https://on.quad9.net/ in your browser. This site is designed specifically to confirm if your DNS queries are routed through Quad9.