Wireguard server not using DNS settings that are defined in WAN settings

[GuardYaGrill]

Evening,

Ever since i set up my two PiHoles, one behind Proxmox and the other on Bare-Metal, I've been trying to get my Wireguard server that is hosted on my Asus RT-AX86U to make use of my DNS-Sinkholes, every forum topic i visit people say to just edit the DNS = field on the client to point to my LAN devices hosting the resolvers (Like this post for example) but that never seem to work for me and i can't figure out why. I should note that i do have a VPN Director rule for 10.6.0.0/24 to forward all queries through my VPN provider however, disabling this rule doesn't seem to make any difference.

Is there no way to force 10.6.0.0 followed by some CIDR to use a specific DNS? DNS Director only seems to accept MAC addresses so that doesnt work here, if i have to SSH into the router and run a command i'll do it, just got no idea on the command nor options i would need.

If anyone has suggestions it would be greatly appreciated! Thanks for reading

example client config & Images in case they're useful:

[Interface]

PrivateKey = REDACTED

Address = 10.6.0.2/32

DNS = 192.168.1.199, 192.168.1.14


[Peer]

PublicKey = REDACTED

AllowedIPs = 0.0.0.0/0,192.168.1.0/24

Endpoint = my.ddns.com:51820

PersistentKeepalive = 25

 

[ZebMcKayhan]

every forum topic i visit people say to just edit the DNS = field on the client to point to my LAN devices hosting the resolvers (Like this post for example) but that never seem to work for me

If I remember correctly, the router does not do anything about dns for Wireguard servers clients.

if the client are not using your set wireguard dns its a client issue. Have you turned off dns privacy in client console?

If its just not resolving anything its likely a pihole issue.

What type of issue do you have?

What client type, Windows? What Wireguard program?

 

[GuardYaGrill]

If I remember correctly, the router does not do anything about dns for Wireguard servers clients.

if the client are not using your set wireguard dns its a client issue. Have you turned off dns privacy in client console?

I suspect it’s defaulting to my ISP’s provided DNS but really got no way to prove it, both my LAN & WAN settings on my router are configured to use my
PiHole’s, my Piholes recognize queries from all LAN devices.

If its just not resolving anything its likely a pihole issue.

What type of issue do you have?

What client type, Windows? What Wireguard program?

I’m using the Wireguard client for iOS/iPadOS and I do get internet access connected to the Wireguard sever and I can access LAN devices however, PiHole doesn’t get queries from the Wireguard connected clients therefore I’m not benefiting from the many ad/malware blocklists I have.

 

[m0rF1uS]

I’m using the Wireguard client for iOS/iPadOS and I do get internet access connected to the Wireguard sever and I can access LAN devices however, PiHole doesn’t get queries from the Wireguard connected clients therefore I’m not benefiting from the many ad/malware blocklists I have.

Did you turn off private relay in your iCloud settings?

 

[GuardYaGrill]

Did you turn off private relay in your iCloud settings?

Doesn’t appear their Private Relay feature is available for LTE/5G, I can confirm I have turned it off for my home network.

 

[m0rF1uS]

Doesn’t appear their Private Relay feature is available for LTE/5G, I can confirm I have turned it off for my home network.

If private relay is active /turned on/ then it does work on all networks - cellular, WiFi and lan.
You need to disable it for each specific network and settings are on different menus in iOS for example.

Read and follow the guide lines here:

https://support.apple.com/en-us/102022

 

[GuardYaGrill]

If private relay is active /turned on/ then it does work on all networks - cellular, WiFi and lan.
You need to disable it for each specific network and settings are on different menus in iOS for example.

Read and follow the guide lines here:

https://support.apple.com/en-us/102022

I understand Private Relay takes precedence over any other manually defined DNS, but it’s not just iOS/iPadOS I have this issue with, I have about 7-8 other clients from people who I allowed to VPN into my network and one of those clients is actually another ASUS WRT Merlin router. None of these clients are using my PiHoles either.

 

[ColinTaylor]

@GuardYaGrill Probably unrelated to your problem, but I notice you have set your pi-hole's domain name (under DNS Settings) to "rt-ax86u". Are you sure that's correct? That's rather odd naming. It should be the same as you've set on the router (LAN - LAN IP > RT-AX86U's Domain Name).

 

[GuardYaGrill]

Y

@GuardYaGrill Probably unrelated to your problem, but I notice you have set your pi-hole's domain name (under DNS Settings) to "rt-ax86u". Are you sure that's correct? That's rather odd naming. It should be the same as you've set on the router (LAN - LAN IP > RT-AX86U's Domain Name).

Thanks for your response! Yeah rt-ax86u is the domain my router uses, pretty sure the default is Local or something along those lines.

Edit: wow the compression on the image below is horrendous, just going to have to take my word for it!

 

[m0rF1uS]

I understand Private Relay takes precedence over any other manually defined DNS, but it’s not just iOS/iPadOS I have this issue with, I have about 7-8 other clients from people who I allowed to VPN into my network and one of those clients is actually another ASUS WRT Merlin router. None of these clients are using my PiHoles either.

You mentioned that the devices are Apple products and I know from personal experience that private relay is very aggressive. it’s a pain in the butt if you want to turn it off for specific networks but use it on others. Settings are all over the place, some in WiFi, some in cellular and some in browser.
Just giving you something to try - it might be part of the problem. Take care.

 

[ColinTaylor]

Y

Thanks for your response! Yeah rt-ax86u is the domain my router uses, pretty sure the default is Local or something along those lines.

Edit: wow the compression on the image below is horrendous, just going to have to take my word for it!

View attachment 68765

OK, no problem. Thanks for the clarification.

I'd also note that you appear to be using an RT-AX86U Pro rather than an RT-AX86U as you initially wrote (and I didn't notice it in your screenshot). They use completely different firmware branches so I don't know whether that might have any bearing on your problem. I only have the non-Pro version.

Do you have any non-Apple devices you can test from?

EDIT: I'm not an Apple user, is the following notice relevant to your devices? I'm guessing this is what you've already done.

 

[GuardYaGrill]

OK, no problem. Thanks for the clarification.

I'd also note that you appear to be using an RT-AX86U Pro rather than an RT-AX86U as you initially wrote (and I didn't notice it in your screenshot). They use completely different firmware branches so I don't know whether that might have any bearing on your problem. I only have the non-Pro version.

Thanks, yeah i know the Pro version of the rt-ax86u is a different branch, i actually have both the Pro and Non-Pro version (Non-pro is apart of the Mesh network)

Do you have any non-Apple devices you can test from?

EDIT: I'm not an Apple user, is the following notice relevant to your devices? I'm guessing this is what you've already done.
View attachment 68768

Yeah as mentioned in my other comment me and my buddy both VPN into each others networks, his RT-AX88U doesn’t utilize my PiHoles either. the DNS field on my clients explicitly define DNS = 192.168.1.199, 192.168.1.14 but alas no luck.