@TP-Link 

Please implement the feature of allowing separate DNS for main and Guest network. 

Using a local DNS server for the main network has the effect of rendering the Guest network unusable without the installation of a secondary local DNS server just for the guest network.

Need exactly this for setting up pihole and not make my smart switches on the guest network be upset. Not DHCP, just a separate DNS setting for the guest network should do.

  @richpriest - I don't have a Deco but an AXE5400. I believe I solved this by setting the Secondary DNS to the IP of the main router itself. Since it can reach my pihole's IP when the guest network calls to it for DNS, it is able to then request to the pihole IP. Maybe this could work for others as well.

Cheers

Deco M4R

+1 on separate dns server for guest network

Hi guys, I just wanna share my config to workaround this issue.

There is a setting in Deco app called Port Forwarding in Advance menu. I used this to forward port 53 to my Adguard server as DNS service. Then in the DNS Server setting, I declared Adguard server IP as primary DNS and my Deco IP (which is 192.168.68.1) as secondary DNS then volla my guest network now can access internet through Adguard.

P/S: for simplicity you can declared the Deco IP as primary DNS for both main and guest network if you don't care about user's logs since Adguard will report all usages from a single user (the Deco IP itself).

Hope this can help somebody out there.

Update, thanks to sailboats pointed out the security risk of this method. If your Deco is not behind any router/firewall, you should NOT do this since it will open your Deco to the internet on port 53. Since my Deco is actually behind another router which is my ISP's modem so I have no issue with this setup.

  @nhuanquang 

WHOAH, time out, let's talk this out. It sounds like you are opening port 53 of your router to the wider internet. If I understood you correctly you've just created an open/public DNS resolver, which is something you definitely don't want to do.

https://serverfault.com/questions/573465/what-is-an-open-dns-resolver-and-how-can-i-protect-my-server-from-being-misused

Unless I'm missing something basic - is there any authentication?

  @sailboats hi, forgot to mention that my deco is behind another router (my isp modem) so it's still behind that firewall. But yeah thanks for pointing this out for everyone else whose deco is doing PPoE or directly connect to the internet without a dedicated modem/router

All,

The workaround proposed by TP-Link DOES work, to an extent...

Setup:

• PrimaryDNS      = local AdGuard server IP.
• SecondaryDNS = router IP OR internet DNS server IP.

What will happen:

• Client on Main network - will try AdGuard server first. If it is a blocked site, AdGuard will return 0.0.0.0, and the site will be blocked as desired!
  (AdGuard will NOT simply return nothing, as you might expect, causing the client to proceed to the secondary server. PiHole et al work similarly).
• Client on Guest network - will not be able to reach AdGuard server (I don't think there is a timeout here, it cannot connect and immediately gives up), so it will proceed to secondary server, and so DNS will function.
  Note: if you use router IP here, the router will forward to your ISP DNS servers (not your local AdGuard server). This means guest network is NOT being protected by your AdGuard, and no DNS lookups will be blocked.
  IMO this is ok for a guest network.

-----------------------------------

Though I still agree with everyone else here - Guest network should be on a separate subnet, as this is the recommended networking practice (for simplicity, and security).

Perhaps @TP-Link are worried it would be a breaking change? But they could simply keep Guest with same subnet (as Main) for golive, so nothing would change or break, allowing users to change it later as desired.

Additionally, it would be good to see the ability to configure exceptions to the firewall (that presumably already exists) between Main and Guest networks.

This way, we could allow access from Guest devices to, for example, DNS server or media server on Main network.

Obviously this would be more effort to implement, as would need a whole new section in the UI.

Warm Regards,