[HeyDawgHey]

After some experimentation and reading the posts around here, I am left with questions about how DNS requests work. Here are two dd-wrt use cases that hopefully someone can explain to me. I am using 'Firmware: DD-WRT v3.0-r43028 std (04/29/20)'

Use case #1: All router traffic goes through OpenVPN with an iptables rule rejecting WAN traffic (killswitch). In this scenario if I set a static DNS of my choosing it doesn't do anything, and using dnsleaktest shows the DNS servers are the same or similar to my IP address provided by the VPN provider. Does this mean there is no point in filling in the static DNS settings under this scenario?

Use case #2: Some router traffic goes through OpenVPN using policy based routing to specify certain local IP addresses. An iptables rules rejects WAN traffic from these specific IP addresses (selective killswitch). In this case if I set a static DNS server of my choosing it still doesn't work for the non-VPN traffic. dnsleaktest shows a different DNS than the one I set in dd-wrt even for non-VPN connections and even if I select 'Force DNS Redirection'. Is this a bug with dd-wrt or am I missing something? Does it have something to do with Windows?

To recap my questions. Is using a static DNS pointless when all traffic is forced over VPN? Why do non-VPN connections show different DNS servers that the one specified in dd-wrt?

[egc]

Welcome to the forum

Most VPN providers also push a DNS server to you so if you enable "Query DNS in strict order" those DNS servers from your provider are used and (more importantly) the query is done via the tunnel.

When you use PBR things change, the router is mostly not using the tunnel so the DNS query is done via the WAN.
that causes a "DNS leak"

See my signature at the bottom of this post for some explanation and solutions, the third post of the OpenVPN PBR guide thread with a detailed description of DNS leaks and solutions

[HeyDawgHey]

[egc]

All clients whether using PBR or not are using the DNS servers from the router.

The DNS servers used can be found in /tmp/resolv.dnsmasq

This is an example of my resolv.dnsmasq:
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 9.9.9.9
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 192.168.0.1

The first two are pushed by my OpenVPN provider (even when using PBR)
no 3,4 and 5 are my static DNS entries
The last one is my ISP (that is the real DNS leak as described in: https://svn.dd-wrt.com/ticket/6908(

There is also another DNS leak as described in the guide that is sending your DNS query via the WAN instead of the tunnel, besides the leak it also give you trouble if the VPN DNS servers are not publicly available, many DNS providers have only internal DNS servers which are not reachable via the internet but only via the tunnel.

Ways to deal with all this are desrcibed in the guide

[mrjcd]

If using latest FireFox browser for WIN10 it will use goofy cloudflare DNS by default unless you disable it ...
...and yea, it bypasses any DNS you have set in router -- thinking they know better than most I reckon...

[HeyDawgHey]

[blkt]

Things enabled by default such as this bullshit are one of many reasons why I moved over to Pale Moon and Waterfox Classic.

[Alozaros]

hmmm FFx has an excellent DoH (TRR) DNS support...i dont think it comes enabled by default, you have to turn it on manually...
yep cloudflare and nextDNS comes by default but to make it work as it should you have to go CLI (about:config) and do some settings...as this is layer 7 DNS, it overrides any other DNS system setting and it fairly uses DoH (DNS over HTTP)...firewall bypassing DNS solution...
finally with some minor fiddling in FFx, you can set and use any favorable DNS that supports DoH, different by 1.1.1.1 or 8.8.8.8...

[blkt]

It is enabled by default for US users starting with 73.0.1, engage tin foil hat.

Google joined the party with Chrome 83.

[Alozaros]