Posted: Fri Mar 10, 2023 2:20 Post subject: DNS + Leak Test Check
Hi all, out of the blue my banking site wont loadup, about 1 week ago I switched from open VPN to wireguard. I could of sworn that the banking site worked with wireguard, regardless I swiched back to openvpn to eliminate whether it was wireguard or not. Well it doesnt work with openvpn aswell.
This is the site https://www.commbank.com.au/
Checking over my router settings (updated to build 51976, R7000)in basic settings I had one DNS server 8.8.8.8, i went ahead and added a secondary DNS 1.1.1.1. The banking site sprang to life.
Now I'm not sure if this is safe or not, I did an ipleak test https://ipleak.net/, the ip address detected is my VPN IP and the DNS addresses are IP addresses not familiar with me from google and clarefarenet. How do you know if you have a leak? orry for such a noob uestion, all these years I thought it was leak free.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Fri Mar 10, 2023 7:13 Post subject:
If you do not use Policy Based Routing then everything is routed via the VPN included DNS queries.
For OpenVPN the provider usually pushes a DNS server which is used instead of the Static DNS servers you have set.
For WireGuard you have to fill in the DNS server of your choice in the WG interface (if you use a conf file from your provider it might already be there).
The documentation for both WG and OVPN is a sticky in this forum, there is also a separate guide for VPN and DNS.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Mar 11, 2023 16:56 Post subject: Re: DNS + Leak Test Check
crows wrote:
Checking over my router settings (updated to build 51976, R7000)in basic settings I had one DNS server 8.8.8.8, i went ahead and added a secondary DNS 1.1.1.1. The banking site sprang to life.
Now I'm not sure if this is safe or not, I did an ipleak test https://ipleak.net/, the ip address detected is my VPN IP and the DNS addresses are IP addresses not familiar with me from google and clarefarenet.
Sounds like you are using OpenVPN and that the VPN firm is "pushing" it's DNS server address to your router. The dnsmasq system in the router, which manages DNS matters, will use that DNS-server IP and any you provide on the Settings page, in your case 8.8.8.8 (google) and 1.1.1.1 (cloudflare). It will also use your ISP's DNS servers unless you check the box near the top on the Settings page to ignore those. I forget how the box is labeled, but look for "DNS" and "ISP" and possibly "WAN".
If you specify your VPN server with a numerical IP, you can get away with entering no static DNS servers on the settings page. If you specify it by domain name like vpn.foo.com or whatever, you'll either need to list at least one DNS server in Settings or make a special entry in the DNSMasq settings so it knows where to look up the one name. This is, of course, because the DNS server pushed by the VPN firm is of course not yet available at the point when your VPN server needs to be looked up. If you need the DNSMasq settings specifics, say so and I'll dig it out. It's simple, but I'm rusty on the details.
I always check the box. In the US anyway, the ISPs cannot be trusted with your DNS history and have been caught selling the info in the past. They promised to behave but then got caught again. They promised again. Should I trust them now?
The IP/DNS checker you mentioned, ipleak.net, is maintained by AirVPN and is a good one. (They also have a great VPN service... see airvpn.dev or, if your computer is so old that it won't play well with an up-to-date site, airvpn.org.) Also popular for leak checking is dnsleaktest.com.
Another public DNS provider to experiment with is 9.9.9.9 (quad9.net). They screen against a frequently updated list of malware-related sites. IIRC their logging keeps only the rough geographical area of the queries, like NYC or London or whatever, and perhaps only for a couple of days (my memory fails me - too old - so research it) and basically for analytics purposes and not to sell. I don't believe google or Cloudflare make any no-logging promises, but check. Not sure where they are re selling your data, but google is assumed by most to mine your DNS query to target ads at you. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Thanks for all your replies, a lot of this stuff is way over my head so Im trying to piece it all together. Ive read the sticky document VPN & DNS and it appears i should be using split DNS. This is how I understand it....split DNS is used so that all the trafic that uses the WAN as default route utilise the static DNS on page 1 of setup and the clients that are routed via VPN use the DNS setup in the wireguard "DNS servers by tunnel" what I'm not sure about reading the document is do I need to also create this routing table:
To accomplish this iptables rules are used which can be made visible with iptables -vnL -t nat e.g.:
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9
iptables -t nat -I PREROUTING -p udp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9
In my case i use DNS server 8.8.8.8 and as an IP address which do I use, the one IP that gets routed via the VPN.
In saying that what is a simple test to see whether the correct DNS is being used, because when I run a leak test t'm not familiar with any of the DNS servers it lists. However the IP is the one from my VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 13, 2023 2:08 Post subject:
Quick note: in dnsleaktest.com's results, Quad9 servers, which you specify with 9.9.9.9, will list as having ISP WoodyNet. That's how you identify Quad9. I believe the CEO or some important founder is/was named Woody.
DNS servers provided by a VPN firm will often show the same IP address as the VPN server. Or it may be off by one.
If there are other tricks for other providers, I don't know them.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Mon Mar 13, 2023 7:40 Post subject:
SurprisedItWorks wrote:
Quick note: in dnsleaktest.com's results, Quad9 servers, which you specify with 9.9.9.9, will list as having ISP WoodyNet. That's how you identify Quad9. I believe the CEO or some important founder is/was named Woody.
DNS servers provided by a VPN firm will often show the same IP address as the VPN server. Or it may be off by one.
If there are other tricks for other providers, I don't know them.
9.9.9.9 has quite a different transponders around the world...so, expect a diff IP's
Woodynet is very US while in UK its PCH and basically different in any country so check those IP to find who they belong...but 9.9.9.9 is very reliable so no hassle needed.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913