[thunderhead]

I am using v3.0-r36070M on my R7000 and would like to change the DNS servers from the ISP defaults to Quad9. I went to Setup>Basic Setup and scrolled down to "Static DNS 1" where I changed the 0.0.0.0 to 9.9.9.9. After applying, I tested with https://www.dnsleaktest.com but found that I was still using the ISP's DNS servers. What am I doing wrong? Thanks.

[Alozaros]

ok follow those rules
add 3 entries to static DNS
9.9.9.9
149.112.112.9
149.112.112.112


than use force DNS redirection on set up page
so no other DNS servers will be permitted only your selected and all the client devices will use only those

then go to services and select
use DNSmasq
Local DNS
No DNS Rebind
Query DNS in Strict Order

copy /paste this to Additional DNSMasq Options

domain-needed
bogus-priv
no-resolv
server=9.9.9.9
no-negcache

if you want you can add 1.1.1.1 or 1.0.0.1 as a spare servers
those also belongs to Quad9 - 149.112.112.9 & 149.112.112.112 as well all those here

https://quad9.com/doh-quad9-dns-servers

there is a trick how to set and use DoH via Firefox as 9.9.9.9 now supports it too

look at my last post
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1145961#1145961

[mrjcd]

QUAD9 DNS servers that have DNSSEC + other protection --
IPv4 DNS:
9.9.9.9
149.112.112.112

IPv6 DNS:
2620:fe::fe
2620:fe::9

QUAD9 unsecured DNS servers --
IPv4:
9.9.9.10
149.112.112.10

IPv6 DNS:
2620:fe::10
2620:fe::fe:10

https://www.quad9.net/faq/

[thunderhead]

Thanks for the replies... for me the solution was based on Alozaros' reply. What I did:

NOTE - bold text indicates a deviation from the default settings I had.
Setup>DHCP section

[grc]

the only "secure" option is to use

[bushant]

Does this work the same?

resolv-file=/opt/resolv.dnsmasq

Where resolv.dnsmasq is placed in /opt (on USB) to reduce nvram size. It will have no ISP DNS in it. Or does it continue to use /tmp/resolv.dnsmasq if I havn't added "no-resolv" ?

[grc]

I don't think so. it will probably combine this two files.

From Man page of Dnsmasq:

[bushant]

[egc]

@grc is absolutely right in his assessment (as far as my knowledge goes )
IF you want to stick to using resolve.dsnmasq (I am doing exactly as @grc use no-resolv, server=xxx, in additional options)you can also try the following to rewrite it, add to Commands/Startup:

[Alozaros]

you don't need this code it just another messy thing
just use no-resolv, server=xxx its fair enough


the only shait i see is if i use FFx with quad9 via DoH, or my other routers with DNScrypt
it works great and secure using DoH and tls 1.2/1.3 or DNScrypt...
but if i use Chrome it only uses my routers DNS resolver and its settings...but on the low level
units its less secure no DNSSEC validation is performed on router level only on DNS resolver level and Chrome does not provide DoH yet...if Chrome implements DoH than i might get back to it...i also wish at least my TP-Link WR1043ND v2 could support DNSSEC on router level