Posted: Wed May 20, 2020 17:03 Post subject: Understanding static DNS and OpenVPN
After some experimentation and reading the posts around here, I am left with questions about how DNS requests work. Here are two dd-wrt use cases that hopefully someone can explain to me. I am using 'Firmware: DD-WRT v3.0-r43028 std (04/29/20)'
Use case #1: All router traffic goes through OpenVPN with an iptables rule rejecting WAN traffic (killswitch). In this scenario if I set a static DNS of my choosing it doesn't do anything, and using dnsleaktest shows the DNS servers are the same or similar to my IP address provided by the VPN provider. Does this mean there is no point in filling in the static DNS settings under this scenario?
Use case #2: Some router traffic goes through OpenVPN using policy based routing to specify certain local IP addresses. An iptables rules rejects WAN traffic from these specific IP addresses (selective killswitch). In this case if I set a static DNS server of my choosing it still doesn't work for the non-VPN traffic. dnsleaktest shows a different DNS than the one I set in dd-wrt even for non-VPN connections and even if I select 'Force DNS Redirection'. Is this a bug with dd-wrt or am I missing something? Does it have something to do with Windows?
To recap my questions. Is using a static DNS pointless when all traffic is forced over VPN? Why do non-VPN connections show different DNS servers that the one specified in dd-wrt?
Joined: 18 Mar 2014 Posts: 12888 Location: Netherlands
Posted: Wed May 20, 2020 17:50 Post subject:
Welcome to the forum
Most VPN providers also push a DNS server to you so if you enable "Query DNS in strict order" those DNS servers from your provider are used and (more importantly) the query is done via the tunnel.
When you use PBR things change, the router is mostly not using the tunnel so the DNS query is done via the WAN.
that causes a "DNS leak"
Most VPN providers also push a DNS server to you so if you enable "Query DNS in strict order" those DNS servers from your provider are used and (more importantly) the query is done via the tunnel.
Thanks that explains my first use case. It seems "Query DNS in strict order" is set by default. Is it possible for the ISP DNS to be used if the VPN provider's DNS query fails? Or is it bullet proof-ish?
egc wrote:
When you use PBR things change, the router is mostly not using the tunnel so the DNS query is done via the WAN.
that causes a "DNS leak"
See my signature at the bottom of this post for some explanation and solutions, the third post of the OpenVPN PBR guide thread with a detailed description of DNS leaks and solutions
I read through your guides and it doesn't really explain why my static DNS entries are not working for non-VPN connections in the PBR use case. I have "Query DNS in strict order" set to enable as well as "Forced DNS Redirection". It says in your guide that the leak occurs using PBR when the static DNS is unavailable. But the no log DNS I chose can't be down all the time. Why is it still using the ISP DNS?
Joined: 18 Mar 2014 Posts: 12888 Location: Netherlands
Posted: Sun May 24, 2020 8:34 Post subject:
All clients whether using PBR or not are using the DNS servers from the router.
The DNS servers used can be found in /tmp/resolv.dnsmasq
This is an example of my resolv.dnsmasq:
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 9.9.9.9
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 192.168.0.1
The first two are pushed by my OpenVPN provider (even when using PBR)
no 3,4 and 5 are my static DNS entries
The last one is my ISP (that is the real DNS leak as described in: https://svn.dd-wrt.com/ticket/6908(
There is also another DNS leak as described in the guide that is sending your DNS query via the WAN instead of the tunnel, besides the leak it also give you trouble if the VPN DNS servers are not publicly available, many DNS providers have only internal DNS servers which are not reachable via the internet but only via the tunnel.
If using latest FireFox browser for WIN10 it will use goofy cloudflare DNS by default unless you disable it ...
...and yea, it bypasses any DNS you have set in router -- thinking they know better than most I reckon...
If using latest FireFox browser for WIN10 it will use goofy cloudflare DNS by default unless you disable it ...
...and yea, it bypasses any DNS you have set in router -- thinking they know better than most I reckon...
Hey thanks for solving my question, you are the real MVP.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon May 25, 2020 2:51 Post subject:
hmmm FFx has an excellent DoH (TRR) DNS support...i dont think it comes enabled by default, you have to turn it on manually...
yep cloudflare and nextDNS comes by default but to make it work as it should you have to go CLI (about:config) and do some settings...as this is layer 7 DNS, it overrides any other DNS system setting and it fairly uses DoH (DNS over HTTP)...firewall bypassing DNS solution...
finally with some minor fiddling in FFx, you can set and use any favorable DNS that supports DoH, different by 1.1.1.1 or 8.8.8.8... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon May 25, 2020 4:03 Post subject:
blkt wrote:
It is enabled by default for US users starting with 73.0.1, engage tin foil hat.
Google joined the party with Chrome 83.
i dont think FFx 'network.trr.mode' is set to 3 by default, witch is DoH trr only..
the default is 2 witch is, system dns and DoH... very silly...option...
Chrome DoH settings are poor...
Opera GX has DoH too.. along with free VPN (tor based)...it does the job for...a tin foil cap... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913