WireGuard DNS Leakage

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Nov 09, 2021 12:54    Post subject: Reply with quote
kyrix wrote:
egc wrote:
In your case as you are using PBR and you want to have split DNS servers there is another solution which kills two birds with one stone.

Assuming you have two public DNS servers in static DNS 1 and 2 and added the WG DNS server in the "DNS servers via tunnel" you add the following rule to Administration/Commands Save firewall:
Code:
iptables -t nat -I PREROUTING -p tcp  -s <IP address in PBR field> --dport 53 -j DNAT --to < IP Address of DNS server>
iptables -t nat -I PREROUTING -p udp -s <IP address in PBR field> --dport 53 -j DNAT --to <IP Adddress of DNS server>


Depending on what you have in the PBR field and if you have only one tunnel you can even automate this with:
Code:
iptables -t nat -I PREROUTING -p tcp  -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)
iptables -t nat -I PREROUTING -p udp -s $(nvram get oet1_pbr) --dport 53 -j DNAT --to $(nvram get oet1_dns)


This rule catches all DNS queries from the entries in the PBR field and routes them to the specified DNS server.

When you do this you can disable "strict order"


I have several questions:

1. When I click save firewall, how will I be able to delete them if needed?

2. With the first set of codes you gave, do I delete the < >? Or do I enter the IP/DNS inbetween them?

3. With the first set of codes as well, do I also add the CIDR that I have entered with the IP in the PBR field?

4. "When you do this you can disable "strict order"" Does this apply to both sets of commands? Or only the second set?

5. My final question is, is it better to use the first set or the second set of commands? If it's automated and I have a static DNS 1/2 set, would the second set of commands still work?

I think if I am right by looking at the commands you've given, the first set manually assigns it to the specific PBR I have set, and the second just assigns the DNS automatically to the PBR so I won't have to change it every single time.

My apologies for so many questions, I am trying to make sure of things, and so if anyone looks through this thread in the future having the same problem they'll know what to do.




All good questions Smile
1. Usually the advice is to test all these rules from command line and only if they work add it to startup or firewall otherwise you run the risk of locking yourself out and the only way out is the reset button. So making a backup which you can restore is always prudent (I am pretty confident that my rules are OK though but better be safe than sorry)
2/3. yes you delete the <> and enter the CIDR notation as well
Both 2 and 3 should actually do exactly the same only with 3 it gets the information already from the tunnel, try 3 from command line and see its result with:
iptables -vnL PREROUTING -t nat

4. As the rules should do the same so yes
5. Try 3 and see if that works out otherwise set manual according to 2

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Tue Nov 09, 2021 18:21; edited 2 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Nov 09, 2021 16:26    Post subject: Reply with quote
To add: depending on setup and used DNS server the router can signal and block it as a rebind attack.

So disable "No DNS Rebind" on services page

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kyrix
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 11

PostPosted: Wed Nov 10, 2021 5:09    Post subject: Reply with quote
egc wrote:


Interesting. Alright, so with the automated codes, it shows only shows my ISP's DNS now.

Even with "Ignore WAN DNS" enabled, my ISP's DNS servers are now being used, both within the VPN tunnel, and outside of it on all devices. My VPN's DNS is not being used at all, and the ones I have set in Static DNS are being entirely ignored.

No rebind has been turned off as you specified, and so has strict order.
kyrix
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 11

PostPosted: Wed Nov 10, 2021 5:15    Post subject: Reply with quote
I have tried the manual codes now (with SurprisedItWorks's hint above to remove the parenthesis in the code), and my tunnel is now using only the VPN DNS!

Yet, still, sadly my other devices are now only using my ISP's DNS for unknown reasons. I am entirely unsure of why DNSMasq is even answering their pushed servers when Ignore WAN DNS is checked. Any ideas?
kyrix
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 11

PostPosted: Wed Nov 10, 2021 5:27    Post subject: Reply with quote
I've found the culprit. "Recursive DNS Resolving (Unbound)" is what I checked so my DNS in Static 1 would be able to utilize it (they say they support it on their page), but when checked, it entirely ignores every Static DNS I have set, and uses only my ISP's DNS for whatever reason.

Is this supposed to happen, or? I'll leave it unchecked since that doesn't work as I planned it to.

With it unchecked, when I check my DNS it now shows both my Static 1 DNS, and my tunnel DNS side by side, sometimes it shows only my Static 1 DNS, and sometimes it only shows my tunnel DNS (non-VPN clients).

I'm unsure if websites are supposed to be able to see the tunnels DNS when the clients I test it on aren't even assigned it, but if it isn't a big deal (not a DNS leak issue), then I'll say my setup is going good now thanks to egc's manual iptable codes.

I am a little worried about No Rebind being disabled, as I've checked in the logs and it warns me that a microsoft website is constantly being blocked by the option.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Nov 10, 2021 6:55    Post subject: Reply with quote
We are slowly getting to the bottom of this Smile

You do need the parentheses for the automatic code that was actually what @Surpriseditworks was telling, he knows a thing or two about scripting (It was perhaps confusing so I redacted everything to avoid confusion in the future)

Always check if it works with:
iptables -vnL PREROUTING -t nat

The Microsoft rebind warning is harmless it is Windows checking network availability but of course there could be other more dangerous rebind attacks.

You can try with it enabled and see if it still works

I can not tell you anything about unbound I do not use it, my DNS goes via the VPN tunnel Smile


Edit: I think it will work with "No DNS Rebind" enabled it was more to rule out that that is the problem

Edit 2: be sure to disable "Query DNS in Strict Order"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum