Ad-blocking DNS does not work for devices routed through VPN with pbr

Hi, I am trying to figure out why ad-blocking seems to work for some situations, but not when I have a device that's been routed via 'pbr' to connect over a WireGuard VPN.

Do note, I am NOT using ad-block fast, I just have the package installed. I wanted to get DNS issues working by pointing towards a known-working ad-blocking server first.

Here is my network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'

config device
        option name 'eth0.2'
        option macaddr 'c0:c9:e3:4f:8c:1a'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'
        list dns '176.9.93.198'
        list dns '176.9.1.117'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option disabled '1'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2620:fe::9'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'mullvad_wg'
        option proto 'wireguard'
        option private_key '...'
        list addresses '10.69.33.199/32'
        list addresses 'fc00:bbbb:bbbb:bb01::6:21c6/128'
        option force_link '1'
        option nohostroute '1'
        list dns '176.9.93.198'
        list dns '176.9.1.117'

config interface 'home_vpn'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '51820'
        list addresses '10.0.100.1/24'
        list dns '176.9.1.117'
        list dns '176.9.93.198'

config wireguard_home_vpn
        option description 'My Phone'
        option public_key 'oUdCIM/omzWtus4j7za7mDpE0/Z/9/RPbfl0P8u4TiI='
        option private_key '...'
        option preshared_key '...'
        option route_allowed_ips '1'
        list allowed_ips '10.0.100.2/32'

config wireguard_mullvad_wg
        option description 'us-sea-wg-001'
        option public_key 'bZQF7VRDRK/JUJ8L6EFzF/zRw2tsqMRk6FesGtTgsC0='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '138.199.43.91'
        option disabled '1'

config interface 'proton_wg'
        option proto 'wireguard'
        option private_key '...'
        list addresses '10.2.0.2/32'

config wireguard_proton_wg
        option description 'Imported peer configuration'
        option public_key 'FopxTTklZx2W9X1ua1rGHdn+w4F8KVwcBjVmqMFFbAI='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '195.181.162.163'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config wireguard_mullvad_wg
        option description 'ca-van-wg-201'
        option public_key 'hYbb2NQKB0g2RefngdHl3bfaLImUuzeVIv2i1VCVIlQ='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '104.193.135.196'
        option persistent_keepalive '25'

config route
        option interface 'mullvad_wg'
        option target '176.9.93.198/32'

config route
        option interface 'mullvad_wg'
        option target '176.9.1.117/32'

config wireguard_home_vpn
        option description 'ca-van-wg-301'
        option public_key 'BzYINbABQiSbRLDZIlmgsLgL88offQJCEH3JkcjRGUk='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '149.22.81.194'

And my pbr config...

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_boot_delay '0'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_file_mode '1'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'lan'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.wg_server_and_client'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'ipchicken test'
        option dest_addr 'ipchicken.com'
        option interface 'wg'
        option enabled '0'

config policy
        option name 'Forward torrentbox over mullvad'
        option src_addr '192.168.1.5'
        option interface 'mullvad_wg'

config policy
        option name 'Forward ThinkPad Through Mullvad'
        option src_addr 'thinkpad'
        option interface 'mullvad_wg'
        option enabled '0'

config policy
        option name 'Forward Pixel Through Mullvad'
        option src_addr '42:7B:03:FA:69:FD'
        option interface 'mullvad_wg'

config policy
        option name 'Forward Dell Through Mullvad'
        option src_addr '48:51:B7:B4:B7:20'
        option interface 'mullvad_wg'

config policy
        option name 'Forward Home VPN to Proton VPN'
        option src_addr '10.0.100.2/32'
        option interface 'proton_wg'
        option enabled '0'

config policy
        option name 'Forward Home VPN to Mulvad VPN'
        option src_addr '10.0.100.2/32'
        option interface 'mullvad_wg'
        option enabled '0'

config dns_policy
        option name 'DNSForge-Content Blocking'
        option src_addr '48:51:B7:B4:B7:20'
        option dest_dns 'wan'

I added the last bit hoping that was the issue, and I have tried selecting both 'wan' and 'mullvad_vpn' as the "dest_dns" with no difference.

Here is my dhcp config...

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '0'
        option ednspacket_max '1232'
        list rebind_domain 'plex.direct'
        option strictorder '1'
        option serversfile '/var/run/adblock-fast/dnsmasq.servers'
        option localuse '1'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,176.9.93.198,176.9.1.117'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '70:85:C2:7C:FB:AC'
        option ip '192.168.1.2'
        option name 'ryzen'
        option dns '1'

config host
        option name 'raspberrypi'
        option dns '1'
        option mac 'DC:A6:32:D7:11:09'
        option ip '192.168.1.3'

config host
        option name 'IPCAM'
        option dns '1'
        option mac '54:C9:DF:E7:FC:B5'
        option ip '192.168.1.4'

config host
        option name 'torrenterbox'
        option dns '1'
        option mac '08:00:27:1C:16:41'
        option ip '192.168.1.5'

config host
        option name 'thinkpad'
        option dns '1'
        option mac '8C:70:5A:CB:18:D0'
        option ip '192.168.1.6'

config host
        option name 'VizioTV'
        list mac 'A4:8D:3B:16:82:BE'
        option ip 'ignore'

config domain
        option name 'torrentbox'
        option ip '192.168.1.5'

config dhcp 'wg'
        option interface 'wg'
        option ignore '1'

config dhcp 'pwg'
        option interface 'pwg'
        option ignore '1'

config dhcp 'home_vpn'
        option interface 'home_vpn'
        option ignore '1'

config dhcp 'mullvad_wg'
        option interface 'mullvad_wg'
        option ignore '1'

So I am not really sure why, but when I run an ad-block test with a device that's being routed through pbr over my mullvad_wg interface, I don't get any ad-blocking at all, even though that interface is set to use the ad-blocking DNS server. I also turned on DNS logging throughout this, and didn't see any requests made to any other server.

I also enabled "Enforcing dnsmasq for local system" via the Wiki instructions because I figured this was the same as ad-block-fast's "Enforce router DNS" option?

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#enforcing_dnsmasq_for_local_system

Are these the ad-blocking servers?

Yes, they are, sorry I didn't specify before. They're from DNSForge.

First check on your lan devices that they have those DNSForge DNS servers.

But it might not help, Mullvad might do DNS hijacking.

A quick test with ipleak.net from your lan devices will show the used DNS server(s)

Edit: you might try the PBR DNS Policies for the LAN devices with one of mullvad servers:

Ahh! Realized what I was doing wrong thanks to your post...

Yes, Mullvad is doing DNS hi-jacking, which I confirmed through a series of experiments switching back and forth between them and Proton. However, I also noticed that between Proton and Mullvad, Proton still ends up leaking the DNS servers used, even attempting to route all connections to them through proton_wg. That ipleak.net site is way better than what I have been using, thanks for that.

Anyway that made me realize they were probably doing that by design exactly in order to prevent leaks like that, and once I came back here I saw your edit with that GitHub page, and those are definitely the addresses I needed. I set 100.64.0.63 as mullvad_wg's DNS server and now it's scoring 97% and above again, with no leaks.

So to be clear:

Problem: Mullvad was hi-jacking attempted DNS queries to DNSForge and routing it through their own servers, even if I attempted to set DNSForge addresses as the DNS servers for that interface

Solution: Use Mullvad's content-blocking DNS servers as the custom DNS servers instead, as they are (probably?) doing this by design to prevent leaks.

You can also encrypt your dns requests on your router with, for example, https-dns-proxy, so they can no longer be hijacked upstream.

Even better! I guess I should get with the times and learn how to set that up already, anyway. Part of why I went with DNSForge is because it was one of the few that allowed a plain DNS connection.