Joined: 31 Aug 2012
|Posted: Thu Aug 20, 2020 21:32 Post subject: Use DNSMasq with VPN
|I've been reading up on the DNSMasq ,DHCPMasq options.
If I enable the DNSMASQ option, are the DNS1,2 fields ignored?
If using VPN what best option. Turn them off or on?
I've watched a few videos and in some cases the presenter makes a point of disabling them, others say to leave them on.
Joined: 18 Sep 2010
|Posted: Fri Aug 21, 2020 0:47 Post subject:
|A very complicated topic, at least once you get beyond the basics.
DNSMasq is *always* running, since it supports both DHCP and DNS services. By default, the DHCP server assigns every client its own LAN ip as the client's DNS server. In turn, it forwards non-local DNS queries to public DNS servers. The default public DNS server(s) are always those retrieved from the ISP over the WAN. But you can override that default behavior (something I strongly recommend) w/ the following DNSMasq options.
In effect, ignore whatever the ISP provided and only use the server(s) listed herein.
I suppose technically this isn't a DNS leak (after all, we're NOT using the ISP's DNS server(s)). But your DNS queries are still directed over the WAN and susceptible to spying, or worse, redirection. Not unless you use something like DNSCrypt, Stubby, etc. But then the entire selection of DNS servers changes since they have their own server options. All DNSMasq does is pass the publicly bound queries of clients to those tools for handling.
As far as OpenVPN, if the VPN provider pushes his own choice of DNS servers to the OpenVPN client (which is typical), the router will reconfigure the DNS server in DNSMasq to use them, thus preventing a DNS leak. But if you're using DNSCrypt or Stubby, perhaps you don't want that behavior. AFAIK, you're out of luck; it's over the VPN w/ the provider's DNS servers for you.
But even that has some caveats. Suppose you use PBR (policy based routing) on the OpenVPN client. Well that has the side effect of taking the router itself off the VPN (although individual clients behind the router can be routed over the VPN or WAN at your discretion). But suppose the OpenVPN provider pushes a *publicly* known and accessible DNS server (which I have seen), say Google, 18.104.22.168. Since the router itself is NOT bound to the VPN, those DNS queries occur over the WAN, NOT the VPN! The only way you can be assured they do occur over the VPN is if the VPN provider pushes DNS servers in the *private* IP space of his own network (most common, but not always the case), since the routing system knows those IPs are only available over the VPN. IOW, it's a routing decision, NOT a DNSMasq decision.
One way to make sure this doesn't happen is to add your preferred servers in DNSMasq as route directives in the OpenVPN client Additional Config field, plus use an appropriate pull-filter.
|pull-filter ignore "dhcp-option DNS"
So even if PBR is active, and the router itself is off the VPN, and would normally route those IPs over the WAN as a result, the VPN is told we're not interested in your DNS servers, and to please adds routes that point to the VPN for our choice of DNS servers. Once again, it's not DNSMasq making the decision, but the VPN, and only because YOU were aware this was necessary and configured appropriately.
Dirty little secret is, the whole issue of DNS servers, what gets used, when it gets used, who's providing them at any given time, when you have a DNS leak (online tools are notoriously inaccurate, and you can prove it by simply monitoring connection tracking on the router), etc., is a maze of "if this, then that, but if…" considerations too difficult for mere mortals to determine reliably. Even *I* struggle at times, but at least I know how to use the tools to dig out what's really happening. And believe me, DNS leaks abound w/ most routers and firmware precisely because of the complexity. Way too many chefs in the mixing bowl that influence which DNS servers get used, and when.
So hopefully the best option (imo) should be obvious; specify your own servers in DNSMasq, and bind them to the VPN in its config. At least then you always know which DNS servers are in play, and have assurance they're being directed over the VPN once it becomes active, even if PBR is active.
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)