I have another problem I don't know why I have it.
In short: I have set up policy based VPN routing (see above). SO I want all defined devices go through the VPN and all others not. However, now all devices use the VPN's DNS server and not anymore the natives. I.e. I have a local IP but a DNS server from another country for non vpn-routed devices. This results in constant problems (e.g. with netflix) but also VPN DNS not responding to DNS requests.
What could be a fix? Thank you
Dnsmasq
Dnsmasq Enable
Encrypt DNS Disable
Cache DNSSEC data Disable
Validate DNS Replies (DNSSEC) Disable
Check unsigned DNS replies Disable
Local DNS Disable
No DNS Rebind Enable
Query DNS in Strict Order Enable
Add Requestor MAC to DNS Query Disable
RFC4039 Rapid Commit support Disable
The problem is that by default, the router's DHCP server (DNSMasq) configures its DHCP clients w/ the router as their DNS server (also DNSMasq, acting as a local, caching, DNS proxy). But DNSMasq has no means to discriminate among different clients when it comes to DNS. It serves all clients equally. And when the OpenVPN client gets connected to the OpenVPN server, it reconfigures the router's DNS server (which are currently using the ISP's DNS servers) w/ the DNS servers push'd by the OpenVPN provider. Hence everyone, regardless whether they are using the WAN or VPN, will have their DNS queries routed over the VPN.
If you want your WAN and VPN clients to have their DNS queries routed over the WAN and VPN respectively, then you need to reconfigure your clients so they are NOT dependent on DNSMasq in the first place. Instead, you configure them w/ *public* DNS servers.
IOW, you *bypass* DNSMasq completely when it comes to DNS. And now, depending on how you've configured those clients wrt PBR, their DNS queries will be sent over the correct network interface, just like every other request from those same clients. Of course, the downside is that you lose the benefits of DNSMasq's DNS server (local name resolution, caching, etc.). But that might not be as important to some ppl as making sure those clients use the correct network interface for DNS.
Joined: 18 Mar 2014 Posts: 12450 Location: Netherlands
Posted: Sun Nov 15, 2020 20:06 Post subject:
If you really added no-resolve to the additional DNSMasq options than that could be stopping DNSMasq as it is no-resolv (without the e)
Why adding pull-filter ignore "dhcp-option DNS" would stop the handing out of IP addresses is difficult to comprehend it stops the adding of DNS servers.
You do have DNS servers set under Static DNS 1 and Static DNS 2?
When using PBR you also should not have a kill switch installed.
> then i can connect to my router, but no internet - and I loose capability to login as admin. Had to reset multiple times.
Funny thing, too:
If I add to VPN config:
pull-filter ignore "dhcp-option DNS"
> My wifi does not work anymore, as IP leases are not handed out to devices (I cannot connect to LAN via wifi/ ethernet)
I have no idea why this happens though.
I must admit that what OP is saying it's true. From what I've experienced, if wrong information is used in DNSMasq Additional Options it won't let you access the internet and/or the router's homepage.
However I've found a way around it using SSH. Obviously 2 routers are required for this to work. Connect to your non DD-WRT (ISP in my case) router and then use SSH using DD-WRT's WAN IP to establish a connection. I use PuTTY for this. Then simply open the browser and type localhost:80. You're in.
Now back to the problem with the Streaming services. I have got enabled "Ignore WAN DNS" in "Setup>Basic Setup" tab under "WAN Setup".
Local DNS: 85.203.37.1
Static DNS 1: 85.203.37.1
Static DNS 2: 1.0.0.0
Static DNS 3: 2.0.0.0
conf-file=/jffs/dnsmasq/mpdomains #ADDBLOCK BY YAMARAJ
addn-hosts=/jffs/dnsmasq/mphosts #ADDBLOCK BY YAMARAJ
address=/mesu.apple.com/0.0.0.0 #BLOCK APPLE UPDATES
address=/appldnld.apple.com/0.0.0.0 #BLOCK APPLE UPDATES
address=/swscan.apple.com/0.0.0.0 #BLOCK APPLE UPDATES
address=/xp.apple.com/0.0.0.0 #BLOCK APPLE UPDATES
address=/gdmf.apple.com/0.0.0.0 #BLOCK APPLE UPDATES
Now the question is. Is there a way to tell the router to ignore "Ignore WAN DNS" for a specific website which in my case is Netflix & Amazon? In other words force specific websites to use WAN DNS instead?
I also think that Netflix is probably a bit easier to get around whilst using VPN - the only way I found so far is to untick "Ignore WAN DNS" and "Use DNSMasq for DNS" and finally remove Static DNS IP's.
Amazon on the other hand always detects if I'm using a VPN connection.
Any help would be much appreciated guys, please take it easy on me as I'm a newbie still.
P.S. Yes I have looked at the PBR guide but I must admit that I'm a bit confused..
Now the question is. Is there a way to tell the router to ignore "Ignore WAN DNS" for a specific website which in my case is Netflix & Amazon? In other words force specific websites to use WAN DNS instead?
Choose a public DNS server (e.g., 8.8.8.8 ) and bind that to the WAN by adding the following to the OpenVPN client Additional Config field.
Code:
route 8.8.8.8 255.255.255.255 net_gateway
Now add the following to Additional DNSMasq Options:
Choose a public DNS server (e.g., 8.8.8.8 ) and bind that to the WAN by adding the following to the OpenVPN client Additional Config field.
Code:
route 8.8.8.8 255.255.255.255 net_gateway
Now add the following to Additional DNSMasq Options:
Code:
server=/amazon.com/netflix.com/8.8.8.8
Thanks eibgrad, I think I get it now.
I see you can add multiple domain names (amazon.com/netflix.com/). Can I do the same thing with the last line with the IP? For example:
Code:
server=/amazon.com/netflix.com/8.8.8.8/8.8.4.4
Quote:
The problem is that Netflix and Amazon and the likes have multiple DNS/server and domains and it is difficult to catch them all so this alone will probably not save you.
You're right, what I have noticed now is that I can access Netflix.com and Amazon.com (before wouldn't connect at all) but no pictures/tumbnails load at all. Uppon adding the the below additionally to what eibgrad suggested I get some thumbnails loading but not all. Seems like I need to find a way to catch all of the IP addresses at ones. Isn't it possible to use domain names/hostname to do this - same as you would do with your printer for example - instead to tell your computer to look for xxx.xxx.xxx.xxx simple look for printername (in case a static IP address hasn't been leased for it).
So I thought this should already ensure the x.x.x.x are only used by vpn routed devices. I have lot to learn it seems...
As an aside in this enlightening thread, let me go back to this and note that just as you suspected, it doesn't mean that at all. It means that x.x.x.x will always, for all clients, whether otherwise using the vpn or not, be reached via the vpn. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
