Posted: Sun Apr 12, 2020 22:54 Post subject: STP may cause DNS leak?
It might be interesting for some.
Enabling 'STP' in Setup/Networking will cause a DNS leak.
STP is also enabled in Setup/Basic Setup/WAN Setup.
I don't know how this is possible, but with enabling STP for the bridge, there will be just 1 hop <1ms with traceroute 1.1.1.1.
With STP off for the bridge, the route to 1.1.1.1 requires 4 or 5 hops, and I can see that the hops are using the Wireguard tunnel, as expected and desired.
1.1.1.1 is set as DNS on my DSL-modem (not on DD-WRT), and I do not want DD-WRT to use that DNS, but only the DNS of my Wireguard provider, which are set on DD-WRT running r42872.
1.1.1.1 is not appearing in /tmp/resolv.dnsmasq, when STP is enabled.
Could someone shed some light or explain this? If something is not clear, please ask. _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Apr 13, 2020 5:29 Post subject:
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?
In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
yes, I set 2 DNS in Setup/Basic Setup: These are by my Wireguard provider and assumed as safe. Those appear in resolv.dnsmaq, plus the IP of the DD-WRT router (local DNS).
Only dnsmasq is used, DHCP-Authorative is enabled.
interface=br0 is already in dnsmasq.conf (automatically).
The new smartdns is off.
I have played with no-resolv in Services/dnsmasq options. If set (+2 DNS), enabling STP in br0 does not pull 1.1.1.1 from the DSL modem, so that's fine. However, accessing internet seems bumpy on Windows for some reasons and applications are not able to resolve hostnames from IPs any more (because no-resolv is set), but this is a side-effect of the work-around to NOT pull DNS from the modem). This really should be fixed (https://svn.dd-wrt.com/ticket/6908).
Thanks for your input!
kooper.
Alozaros wrote:
well...what appears in your /tmp/resolv.dnsmasq in general...?
Do you use forced DNS on DDWRT router side...?
do you have no-resolv, server=xxx.xxx.xxx.xxx (xxx your DNS) in advanced DNSmasq ?
In general its not good idea to have 2 DNS servers as it seams the DNS on your modem is capping you DNS requests...
you should use only DNSmasq and those selected on DNSmasq advanced commands
you can also add interface=br1 or any interface you want DNSmasq to serve with DNS...
In general im avoiding STP for WAN, but yes for internal use it saves hopping...even thou im not using it...
do you have any DNS set in basic settings x3 boxes..?
vlan2 should not be assigned to br0 when used as WAN port.
I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel? _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Tue Apr 14, 2020 23:01 Post subject:
kooper2013 wrote:
Per Yngve Berg wrote:
vlan2 should not be assigned to br0 when used as WAN port.
I did not assign the WAN port to vlan2 by intention; perhaps it is assigned automagically when setting mode to client bridge or when adding Wireguard as tunnel?
Correct. If you assign WAN port to switch, it is assigned to br0 (on Broadcom). I can't remember how the other platforms do it automagically. I am not having any DNS leaks on the ol' antique E4200 v1 in CB mode. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net