open vpn - dns

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 16:09    Post subject: open vpn - dns Reply with quote
hi,

I set up express vpn on router, I'm connected, no problem.
I'M using open dns, and when I check my connection (dns leak test - expressvpn page) I'm protected BUT, when I choose New York, Montreal, toronto servers, I'M full protected, I mean, IP and dns IP are from express vpn but when I choose Paris, Strasbourg, UK, I'm still connected but the dns IP are now from open dns so I'M not 100% under express vpn .

when I try to watch netflix, I can when 100% protected by express vpn and whenthe dns are not expresss vpn, netflix detects the vpn.

My question is, do you why for some servers I have the express vpn dns and some not?

thanks
Sponsor
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 16:15    Post subject: Reply with quote
After some days, I've just received email from expressvpn, but it doesn’t solve my problem....:

" Since you set up the VPN manually, there is no way to guarantee you will get the DNS from our VPN. This is because there is no way to properly force the router to get the DNS from our VPN servers. While the DD-WRT does have options to force the router to get the DNS from the VPN servers, there will be times that it will fail and will either use your DNS or get it from somewhere else."
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3702
Location: UK, London, just across the river..

PostPosted: Sat Apr 11, 2020 17:07    Post subject: Reply with quote
if you use ISP DNS or those boxes under basic settings menu, than you are prone to DNS leaks, In DDWRT, it hasnt been fixed so far...

possible mitigation...
use forced DNS
use DNSmasq for DNS
use commands to force DNSmasq to use those
DNS you want, only...

add those commands in advanced DNSmasq...

no-resolv
server=1.1.1.1
server=9.9.9.9

replace 1.1.1.1 or 9.9.9.9 with your DNS servers

add this in additional config VPN (may not work as intended)
pull-filter ignore "dhcp-option DNS"

for best results use Stubby for DNS its sends DNS(tls encrypted)
requests in the VPN channel, link in red down bellow in my signature

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 43886 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 44048 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43886 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -------DD-WRT 43886 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -------DD-WRT 43886 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 17:10    Post subject: Reply with quote
Alozaros wrote:
if you use ISP DNS or those boxes under basic settings menu, than you are prone to DNS leaks, In DDWRT, it hasnt been fixed so far...

possible mitigation...
use forced DNS
use DNSmasq for DNS
use commands to force DNSmasq to use those
DNS you want, only...

add those commands in advanced DNSmasq...

no-resolv
server=1.1.1.1
server=9.9.9.9

replace 1.1.1.1 or 9.9.9.9 with your DNS servers

add this in additional config VPN (may not work as intended)
pull-filter ignore "dhcp-option DNS"

for best results use Stubby for DNS its sends DNS(tls encrypted)
requests in the VPN channel, link in red down bellow in my signature


Thanks
I used open dns and google dns. I tried both
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5903
Location: Netherlands

PostPosted: Sat Apr 11, 2020 17:58    Post subject: Reply with quote
Although you are not using Policy based routing have a look at: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686 the fourth post about DNS leak

DDWRT uses the pushed DNS servers form the VPN provider, so you have to check whether they are pushed

you can view your DNS servers with cat /tmp/resolv.dnsmasq, if you are using the VPN your non VPN DNS servers are kept and can be viewed you at cat /tmp/resolv.dnsmasq_isp

So first check if the top two servers are from your ISP provider when connected

If so the simplest option is to enable Query DNS in strict order on service page.

This does not always help, then follow Alozoros's advice and use no-resolv and enter the DNS servers from Express so that those are always used, if you are using Policy based routing you have more work to do Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 18:14    Post subject: Reply with quote
Great thanks.
I will try that.
Btw, expressvpn keeps their private DNS, so I can't add them.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5903
Location: Netherlands

PostPosted: Sat Apr 11, 2020 18:22    Post subject: Reply with quote
James80 wrote:
Great thanks.
I will try that.
Btw, expressvpn keeps their private DNS, so I can't add them.


Right that is a problem indeed.

Let me know if you get the DNS servers from the provider and if query DNS in strict order helps

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 18:54    Post subject: Reply with quote
egc wrote:
James80 wrote:
Great thanks.
I will try that.
Btw, expressvpn keeps their private DNS, so I can't add them.


Right that is a problem indeed.

Let me know if you get the DNS servers from the provider and if query DNS in strict order helps



it works.

here my resolv.dnsmasq_isp:

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 1.1.1.1
nameserver 205.151.XXX
nameserver 205.151.XXX
nameserver 205.151.XXX

last 3 are from my isp
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6893
Location: Texas, USA

PostPosted: Sat Apr 11, 2020 18:58    Post subject: Reply with quote
The order of servers is read from the last one (bottom) up. Why would you have your ISP servers configured to be used?
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
James80
DD-WRT User


Joined: 09 Mar 2020
Posts: 121

PostPosted: Sat Apr 11, 2020 19:18    Post subject: Reply with quote
kernel-panic69 wrote:
The order of servers is read from the last one (bottom) up. Why would you have your ISP servers configured to be used?


Dont know why it's there. Never knew the ISP dns and in ddvwrt, it is not there.

My dns are 2x open dns + cloudflare.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum