Posted: Fri Mar 03, 2023 6:16 Post subject: MullvadVPN Wireguard Tunnel + NextDNS DNS Resolution
I have set-up a Wireguard tunnel with Mullvad VPN on my Netgear R7000 dd-wrt router. The tunnel uses the defaults required for Mullvad VPN and works well.
However, I want to change the DNS resolution in the Wireguard tunnel to use NextDNS for DNS resolution instead of the default Mullvad DNS resolver.
Can anyone help me figure out how to change the DNS resolution in the Wireguard tunnel to use NextDNS, ideally using DNS-over-TLS or DNS-over-HTTPS?
I have a similar setup also on R7000, though my VPN provider is not Mullvad.
For my DNS I use pi-hole (192.168.9.103) pointing to 1.1.1.1
Depending on my mood, sometimes I choose to have DNS traffic go out to the internet just via the WAN, and other times I choose to have them route thru the VPN tunnel (oet1).
The way I make that happen is with settings:
DNS Servers via Tunnel - I leave this one empty
Source Routing (PBR) - route SELECTED to VPN
Source for PBR - <whatever else>, 192.168.9.103/32
Note if the 103 address is already in the <whatever else> range, it is already going out via the VPN. And remember that "/32" is a subnet mask that means a range of one address.
* my mood usually is about data privacy, so usually I let it run out via the VPN (oet1).
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Fri Mar 03, 2023 7:20 Post subject:
The WireGuard interface has a DNS setting.
This setting will tell DNSMasq which upstream DNS resolver to use.
So you can simply replace Mullvads DNS server with the one you like be it NextDNS or what ever.
But it only supports regular DNS53 and not secure DNS.
You can use secure DNS via DNSMasq/SmartDNS (see the SmartDNs guide a sticky in this forum) then just leave the WireGuard DNS setting empty.
If you do not use PBR (Policy Based Routing) everything will go via the tunnel so also your DNS, if you do use PBR then you can add the address of the DNS server in the WireGuard Destination Routing field and route via the tunnel.
Thank you for the insights. I specifically am not using pi-hole as I want a non-self-hosted DNS resolver which can be accessed from outside the network. But your mention of choosing the DNS resolver based on mood has got me considering a pi-hole again!
shb wrote:
I have a similar setup also on R7000, though my VPN provider is not Mullvad.
For my DNS I use pi-hole (192.168.9.103) pointing to 1.1.1.1
Depending on my mood, sometimes I choose to have DNS traffic go out to the internet just via the WAN, and other times I choose to have them route thru the VPN tunnel (oet1).
The way I make that happen is with settings:
DNS Servers via Tunnel - I leave this one empty
Source Routing (PBR) - route SELECTED to VPN
Source for PBR - <whatever else>, 192.168.9.103/32
Note if the 103 address is already in the <whatever else> range, it is already going out via the VPN. And remember that "/32" is a subnet mask that means a range of one address.
* my mood usually is about data privacy, so usually I let it run out via the VPN (oet1).
Thank you for the ideas. As I am using secure DNS your suggestions about DNSMasq seem like the route to go. I am also looking into stubby as an alternative, but essentially it would accomplish the same thing as DNSMasq. Thanks again for the pointers.
egc wrote:
The WireGuard interface has a DNS setting.
This setting will tell DNSMasq which upstream DNS resolver to use.
So you can simply replace Mullvads DNS server with the one you like be it NextDNS or what ever.
But it only supports regular DNS53 and not secure DNS.
You can use secure DNS via DNSMasq/SmartDNS (see the SmartDNs guide a sticky in this forum) then just leave the WireGuard DNS setting empty.
If you do not use PBR (Policy Based Routing) everything will go via the tunnel so also your DNS, if you do use PBR then you can add the address of the DNS server in the WireGuard Destination Routing field and route via the tunnel.
sometimes I choose to have DNS traffic go out to the internet just via the WAN, and other times I choose to have them route thru the VPN tunnel (oet1).
