STP may cause DNS leak?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 74
Location: DE

PostPosted: Sun Apr 12, 2020 22:54    Post subject: STP may cause DNS leak? Reply with quote
It might be interesting for some.

Enabling 'STP' in Setup/Networking will cause a DNS leak.

STP is also enabled in Setup/Basic Setup/WAN Setup.

I don't know how this is possible, but with enabling STP for the bridge, there will be just 1 hop <1ms with traceroute 1.1.1.1.
With STP off for the bridge, the route to 1.1.1.1 requires 4 or 5 hops, and I can see that the hops are using the Wireguard tunnel, as expected and desired.

1.1.1.1 is set as DNS on my DSL-modem (not on DD-WRT), and I do not want DD-WRT to use that DNS, but only the DNS of my Wireguard provider, which are set on DD-WRT running r42872.

1.1.1.1 is not appearing in /tmp/resolv.dnsmasq, when STP is enabled.

Could someone shed some light or explain this? If something is not clear, please ask.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3863
Location: UK, London, just across the river..

PostPosted: Mon Apr 13, 2020 5:29    Post subject: Reply with quote
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?

In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..?

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 74
Location: DE

PostPosted: Mon Apr 13, 2020 11:49    Post subject: Reply with quote
Dear Alozaros,

yes, I set 2 DNS in Setup/Basic Setup: These are by my Wireguard provider and assumed as safe. Those appear in resolv.dnsmaq, plus the IP of the DD-WRT router (local DNS).
Only dnsmasq is used, DHCP-Authorative is enabled.
interface=br0 is already in dnsmasq.conf (automatically).
The new smartdns is off.

I have played with no-resolv in Services/dnsmasq options. If set (+2 DNS), enabling STP in br0 does not pull 1.1.1.1 from the DSL modem, so that's fine. However, accessing internet seems bumpy on Windows for some reasons and applications are not able to resolve hostnames from IPs any more (because no-resolv is set), but this is a side-effect of the work-around to NOT pull DNS from the modem). This really should be fixed (https://svn.dd-wrt.com/ticket/6908).

Thanks for your input!
kooper.


Alozaros wrote:
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?

In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..?

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5800
Location: Romerike, Norway

PostPosted: Mon Apr 13, 2020 17:01    Post subject: Reply with quote
vlan2 should not be assigned to br0 when used as WAN port.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 74
Location: DE

PostPosted: Tue Apr 14, 2020 22:26    Post subject: Reply with quote
Per Yngve Berg wrote:
vlan2 should not be assigned to br0 when used as WAN port.


I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel?

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7257
Location: Texas, USA

PostPosted: Tue Apr 14, 2020 23:01    Post subject: Reply with quote
kooper2013 wrote:
Per Yngve Berg wrote:
vlan2 should not be assigned to br0 when used as WAN port.


I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel?


Correct. If you assign WAN port to switch, it is assigned to br0 (on Broadcom). I can't remember how the other platforms do it automagically. I am not having any DNS leaks on the ol' antique E4200 v1 in CB mode.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum