First, a caveat: I’m not running pure DD-WRT, but a GL-iNet router that has some UI shim (and possibly other stuff) running on top of DD-WRT.

The issue I’m seeking help on is that I am seeing odd behavior with client resolution, where sometimes lan device names will resolve, and sometimes they won’t. When they won’t, there’s a thing I can do in the UI and it’ll start working again for a while, until it doesn’t.

The other variable is that I’ve got all outbound traffic going through a VPN, and DNS servers configured by the VPN. This does, and always has, worked, and DNS tests always confirm that external DNS requests are going to those servers.

The issue is that I want all LAN hosts to resolve using the leases. And sometimes this works, but sometimes it stops working and LAN hosts don’t resolve. I can fix this by toggling the “DNS Server Settings” between “DNS Proxy” with the IP of the router as the proxy, and “Automatic” (which, it appears to me, just sets resolution to the VPN settings). Toggling in either direction works, at least temporarily. Although I can’t replicate it at the moment, there was a time where I’d toggle in one direction (to “Proxy” probably) and LAN resolution would work but no WAN domain names would resolve until I switched it back to “Automatic.”

Oh – one other oddity: I disabled the “Allow Custom DNS to Override VPN DNS” which made things behave better, in general – it may be why I can no longer reproduce the “external domains don’t resolve” issue.

The behavior makes me suspect a couple of things:

1. Applying the switch is restarting some service – probably masq – and possibly temporarily changing the configuration thereof.
2. I have dns-masq misconfigured s.t. it’s not falling back to the VPN-configured servers

I had a third thought, but it’s gone now.

So, my question really boils down to how I need this configured such that my .lan hosts resolve via leases, but everything else goes through the VPN DNS servers. I avoid going in and changing things via the shell, but I’m not afraid to; I just prefer to have it done through the UI.

In the UI, there are three toggles, all off: rebinding attack protection; override DNS settings for all clients; and allow custom DNS to override VPN DNS. Then there’s the “Mode” with options “DNS Proxy,” “Automatic,” “Encrypted DNS,” and “Manual DNS.” I have only used Automatic and Proxy. Finally, when Proxy is enabled, there’s a proxy server address which, as I’ve said, is set to the LAN IP of the router.

I think I need to be on “DNS Proxy” as I’m using dns-masq. But to ensure dns-masq is using whatever current VPN DNS configuration setting is active, do I need to configure something in dns-masq? I randomly choose a new VPN exit node once a day, which probably doesn’t change the DNS configuration (they don’t have that many DNS servers), but does restart the network when it happens (although, I do not think the restart triggers the issue).