STP may cause DNS leak?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 109
Location: DE

PostPosted: Sun Apr 12, 2020 22:54    Post subject: STP may cause DNS leak? Reply with quote
It might be interesting for some.

Enabling 'STP' in Setup/Networking will cause a DNS leak.

STP is also enabled in Setup/Basic Setup/WAN Setup.

I don't know how this is possible, but with enabling STP for the bridge, there will be just 1 hop <1ms with traceroute 1.1.1.1.
With STP off for the bridge, the route to 1.1.1.1 requires 4 or 5 hops, and I can see that the hops are using the Wireguard tunnel, as expected and desired.

1.1.1.1 is set as DNS on my DSL-modem (not on DD-WRT), and I do not want DD-WRT to use that DNS, but only the DNS of my Wireguard provider, which are set on DD-WRT running r42872.

1.1.1.1 is not appearing in /tmp/resolv.dnsmasq, when STP is enabled.

Could someone shed some light or explain this? If something is not clear, please ask.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Apr 13, 2020 5:29    Post subject: Reply with quote
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?

In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..?

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 109
Location: DE

PostPosted: Mon Apr 13, 2020 11:49    Post subject: Reply with quote
Dear Alozaros,

yes, I set 2 DNS in Setup/Basic Setup: These are by my Wireguard provider and assumed as safe. Those appear in resolv.dnsmaq, plus the IP of the DD-WRT router (local DNS).
Only dnsmasq is used, DHCP-Authorative is enabled.
interface=br0 is already in dnsmasq.conf (automatically).
The new smartdns is off.

I have played with no-resolv in Services/dnsmasq options. If set (+2 DNS), enabling STP in br0 does not pull 1.1.1.1 from the DSL modem, so that's fine. However, accessing internet seems bumpy on Windows for some reasons and applications are not able to resolve hostnames from IPs any more (because no-resolv is set), but this is a side-effect of the work-around to NOT pull DNS from the modem). This really should be fixed (https://svn.dd-wrt.com/ticket/6908).

Thanks for your input!
kooper.


Alozaros wrote:
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?

In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..?

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon Apr 13, 2020 17:01    Post subject: Reply with quote
vlan2 should not be assigned to br0 when used as WAN port.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 109
Location: DE

PostPosted: Tue Apr 14, 2020 22:26    Post subject: Reply with quote
Per Yngve Berg wrote:
vlan2 should not be assigned to br0 when used as WAN port.


I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel?

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Apr 14, 2020 23:01    Post subject: Reply with quote
kooper2013 wrote:
Per Yngve Berg wrote:
vlan2 should not be assigned to br0 when used as WAN port.


I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel?


Correct. If you assign WAN port to switch, it is assigned to br0 (on Broadcom). I can't remember how the other platforms do it automagically. I am not having any DNS leaks on the ol' antique E4200 v1 in CB mode.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum