My DNS is leaking w/ Unbound, VPN & PBR

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
rkwood
DD-WRT Novice


Joined: 05 Apr 2018
Posts: 19

PostPosted: Wed Jun 05, 2019 17:30    Post subject: My DNS is leaking w/ Unbound, VPN & PBR Reply with quote
I'm running DD-WRT r39884 on a Linksys WRT32X with a VPN (Private Internet Access) using Policy Based Routing. My PBR configuration has IP addresses 192.168.1.100 through 192.168.1.150 routing through the VPN and all others going straight out through the ISP.

Here's my problem - it appears that Unbound is going straight through to the ISP for DNS queries because DNSLeakTest.com is reporting that Comcast is providing DNS service. I wish to avoid that.

With the default Unbound configuration (via checking the GUI box on the setup page), what are the simplest ways to 1) put Unbound behind the VPN and 2) force Unbound to use DNS servers of my choosing?

Any help would be greatly appreciated. Thank you.

Randy
Sponsor
rkwood
DD-WRT Novice


Joined: 05 Apr 2018
Posts: 19

PostPosted: Wed Jun 05, 2019 21:46    Post subject: Reply with quote
While waiting for some expert advice, I entered:

no-resolv
interface=tun1
server=1.1.1.1 #CloudFlare DNS Server

into Dnsmasq Options and made sure that "Use DNSMasq For DNS" and "Query DNS in Strict Order" were both checked. (I tried this with and without the 'interface=tun1' command and rebooted after the 'save'.)

This did not help. My router is based on the Marvell chip set, so a Kong build really is not an option if I want the latest security updates and the current (fully functional) driver.

Any thoughts? I just want the DNS queries to go anywhere but to my ISP (Comcast). Is there any way to create a Policy for Unbound to use the VPN? Or am I smoking crack?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jun 05, 2019 23:46    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319747

Ultimately this problem will be solved w/ new technologies, like DoT (DNS over TLS), DoH (DNS over HTTPS), etc.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
rkwood
DD-WRT Novice


Joined: 05 Apr 2018
Posts: 19

PostPosted: Thu Jun 06, 2019 1:40    Post subject: Reply with quote
Thanks for the link to the thread and script.

Disabling Unbound and leaving everything else as described sends all DNS traffic to CloudFlare (likely via my ISP), however Secure DNS & Encrypted SNI are only present in a properly configured browser - so this is still not good because anyone "listening on the wire" can otherwise see the DNS queries & website connections.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2819
Location: UK, London, just across the river..

PostPosted: Thu Jun 06, 2019 9:00    Post subject: Reply with quote
well DNS leak is nothing new, there are few things to help....

use forced DNS settings option from a basic setup
use DNS strict order

domain-needed
no-poll
bogus-priv
no-resolv
interface=tun1
server=1.1.1.1


or you can try DNScrypt or Stubby with DNS over TLS
where stubby uses recursive DNS servers too, here is a bit of a talk about Stubby.. Stubby for DNS over TLS
i made it work via Entware on my lower grade router otherwise i use DNScrypt on my other devices if possible

there is also a VPN killswitch but this is not the case here...

if your DNScrypt option is missing from GUI and you still have the module for it, you can force it to run via start up script... Wink

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 -----DD-WRT 41074 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----DD-WRT 41075 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ---------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3790
Location: Netherlands

PostPosted: Thu Jun 06, 2019 9:54    Post subject: Reply with quote
The problem with PBR is that the router itself is not using the VPN tunnel and thus the DNS query is out in the open.

There is however a solution for this problem, see the following thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

Especially the second posting deals with DNS leak and PBR

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum