Joined: 18 Mar 2014 Posts: 3654 Location: Netherlands
Posted: Sat May 11, 2019 20:36 Post subject:
You can use my simple PBR script, which gives
you the ability for destination based routing, so that you can route the DNS server via the VPN
See my signature at the bottom.
In that thread see the notes about DNS leaks and how to mitigate that.
At the moment @eibgrad is also working on some really nice things regarding DNS leaks.
Joined: 04 Aug 2018 Posts: 288 Location: Appalachian mountains, USA
Posted: Sun May 12, 2019 18:29 Post subject:
Fascinating discussion, but I am finding myself confused on the question of whether DNS queries go out via the WAN or the VPN. That seems central enough to this discussion that I hope I'm not guilty of hijacking a thread here as I look for more clarity.
On BS builds, I have always had a VAP with internet routed through the VPN using PBR (with SFE disabled). I have operated it two different ways.
Current approach: In the Wireless Basic Settings, I set the VAP's "Optional DNS Target" to 192.168.X.1, the VAP gateway, so that DNS service is provided by DNSMasq using my global setup, which uses DNSCrypt and Quad9 (see link at end). The usual leak tests show Quad9 servers, and I have verified with nf_conntrack that DNS requests and replies go through 127.0.0.1:30 as specified in the DNSMasq config's server= line. Using Quad9 and DNSCrypt feels reasonably secure though not as much so as using the VPN provider's DNS servers, and it is way, way faster. (I am not paranoid about Quad9's partial government sponsorship. My government is too capable to thwart with a simple VPN anyway. I'm more interested in thwarting advertising networks, etc.) I get that these DNSCrypt DNS requests are going out via the WAN.
More basic approach, which I have not used in a while: In the VAP setup set "Optional DNS Target" set to the IP of the VPN provider's DNS server. With this setup, the usual DNS leak-test websites never show the server IP address I configured. Instead, they always show a single DNS server with the same IP (or occasionaly off by one) as the other, public end of the VPN tunnel. I always assumed this meant I was obtaining DNS service through the VPN and that the server showing as the tunnel's IP was just some VPN-provider cleverness. True? Not? Could I really have been going through the WAN? If so, how would it be possible to have my remote IP and my DNS server showing as the same IP? _________________ Six of the Linksys WRT1900ACSv2 on r38159 and r40009.
On various: VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, OpenVPN client/PBR (random NordVPN server).