Posted: Wed Dec 07, 2022 14:32 Post subject: [SOLVED]Policy based routing blocks amazon.com
Hello, I have setup policy based routing on my DD-WRT router. Only two hosts are allowed to use the VPN network. However, for some strange reason, amazon.com website gets blocked on hosts that don't use the VPN. Every other major website works except for amazon.com. If i turn off policy-based routing, amazon.com works. DNS works. I can get the amazon IP using dig command on my Linux computer, but I can't ping amazon.com and it can't load on any browser. I completely don't understand this.
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Wed Dec 07, 2022 14:55 Post subject:
Welcome to the forum, start with sharing which router and which build, which provider and how you have setup
OpenVPN Documentation/Setup Guide is a sticky in this forum: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
At least I am assuming you are using OpenVPN, WireGuard is also a sticky in this forum if you are using that
Amazon (like Netflix etc. ) actively tracks VPN.
It does not only track the IP addresses but also the origin of the DNS request.
When using OpenVPN almost all OpenVPN providers push their own DNS servers and those are the ones used so although your IP address is not routed via the VPN the DNS is.
Thanks for your response. If that's the case, how is it then that I can access Amazon through the hosts that connect to openVPN? It doesn't make sense.
I am running a D-Link DIR-885L WiFi router. I'll share the build number later as I am currently not connected to the router.
The vpn will not be leaking DNS your WAN will be. Simple run a DNS check to confirm this. EGC has given you the answer. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
My DNS servers are set to Google's public DNS 8.8.8.8 and 8.8.4.4 on DD-WRT web interface.
Meanwhile I am using build Firmware: DD-WRT v3.0-r44715 std (11/03/20). Checking my upstream DNS servers from my Linux PC reveals the gateway/router as DNS server.
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Fri Dec 09, 2022 14:16 Post subject:
That is why we recommend sharing what buildnumber is being used.
Build 44715 is old and outdated with security issues.
Upgrading is recommended, and as you are coming from a rather old build a reset *after* update and putting in settings manually is also highly recommended, never restore from a backup (to a different build that is).
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Latest build is 50963
DNSMasq hands out the routers IP address as DNS server, because that is where DNSMasq is listening.
In normal VPN setup to a provider which pushes its DNS server that pushed DNS server from the provider is used as upstream DNS server by DNSMasq (and there is even a route via the VPN made for that pushed DNS server)
So usually when using the DDWRT OpenVPN Client to a commercial provider, all your LAN clients even the ones not routed via the VPN will use the pushed DNS server and the DNS request is going via the VPN.
Few cents from my side.
I had exactly the same issue (OpenVPN with external provider, Source Routing PBR enabled, separate network, separate SSID). DNS over Dnsmasq but I was getting DNS from VPN provider).
Read pdf's that EGC recommended (DNS problems and PBR guide). Documents v1.15 are very good although didn't find a reference in there that choosing "Split DNS" checkbox in GUI is all that I had to do to fix the issue.
Perhaps there is a newer version of this document somewhere. v1.15 is dated Nov 2021 so I would assume "Split DNS" was implemented afterwards?
Not a big deal though
I'm glad I was able to reach this thread and perhaps it would be useful for anyone who has the same issue.