Alternative DNS when using other interface with policy bases routing

OpenWrt 19.07.4 r11208-ce6496d796
LuCI openwrt-19.07 branch (git-20.311.85693-0e6a8c2)
vpn-policy-routing 0.2.1-13
Adblock Version 4.0.7 (Force Local DNS is off)

Goal:
Alternative DNS when using other interface with policy bases routing.

I’m using expressvpn on my router, using openvpn. VPN is the default for all users.

In the policy bases routing settings, I can change VPN to WAN for specific user(s) The only thing is that the dns from the vpn provider is used, even if I use WAN.

When I kill the vpn connection, everything is going through wan and the dns from wan is being used. So without pbr it's working.

I now use a workaround, by adding this in dnsmasq.conf (example)

dhcp-host=A0:A4:C5:09:AD:03,set:watchDNS,10.0.1.16,laptop,1440m

# tag watch dns

dhcp-option=tag:watchDNS,option:dns-server,84.200.69.80,84.200.70.40

The problem with this is, is that when I set the client back to use vpn, the device still using the dns from dnsmasq.conf. This makes the client having a dns leak.

Is there a way to change the dns allong with the change of the interface in policy based routing from vpn to wan and back. Maybe in the vpn-policy-routing file?

You can push a major public DNS provider with DHCP.
It should work seamlessly for both WAN and VPN.

Dnsmasq is a local service and request will always go out of the default gateway. There are 2 solutions to overcome this. The simplest is 2 Dnsmasq instances. The VPN instance uses the server=8.8.8.8@tun0

The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface.

The second method uses a single Dnsmasq instances but requires conntrack which needs dnsmasq-full. Link below explains it.

I have tested both methods

@vgaetera I cannot use one dns for both, because one of them is on a companyserver. But the url is clear. thanks.

@sammo if I wan't to try the first option, where do I set the server option. (what file do I edit) sorry if it is a stupid question..

Please note I'm using split vpn using PBR. Lan and lanvpn interface

root@repeater:~# cat /etc/config/dhcp

config dnsmasq 'main'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option allservers '1'
        option cachesize '500'
        option confdir /tmp/dnsmasq.main
        list interface 'lan'

config dnsmasq 'tun0'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/tun0/'
        option domain 'tun0'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option nonwildcard '1'
        option localservice '1'
        option allservers '1'
        option cachesize '500'
        option leasefile '/tmp/dhcp.leases.tun0'
        option serversfile '/tmp/servers.tun0'
        option noresolv '1'
        list interface 'lanvpn0'
        list notinterface 'lo'

root@repeater:~# cat /tmp/servers.tun0
server=1.1.1.1@tun0
server=8.8.8.8@tun0
root@repeater:~#

From the Dnsmasq man pages
--servers-file=

A special case of --conf-file which differs in two respects. Firstly, only --server and --rev-server are allowed in the configuration file included. Secondly, the file is re-read and the configuration therein is updated when dnsmasq receives SIGHUP.

I changed the line in dhcp
option resolvfile '/tmp/resolv.conf.auto' in
option serverfile '/tmp/resolv.conf.auto'

and I changed nameserver 8.8.8.8 (example) in /tmp/resolv.conf.auto
server=8.8.8.8@tun0 (for vpn)
server=1.1.1.1@eth1.2 (for wan)

but dns isn't resolved after the change, do I missing something?

(I know I need to make a alternative file that doesn't get auto filled, but for testing I changed this one)

You need 2 Dnsmasq instances. Your solution still leaks DNS to your ISP.

Look up kidsafe/guest cookbook

So I'ff I'm correct, I need to set up a second dnmasq instance, so I have an instance for wan and an instance for vpn. (do they have different ip ranges to make this work?)

Alternatively, you can utilize selective DNS forwarding to route company domains to a specific resolver using a single dnsmasq instance.

Yes you would. If you want a single network segment then you need option 2 using conntrack. This also provides the killswitch to the VPN if you configure the firewall probably.
If you are using single network segment you will need to start marking packets and provide a blackhole rule for your vpn to stop data leaks

If I'm using two instances can I use for example 10.0.1.x and 10.0.2.x and make them communicate in LAN?
I'm asking because in LAN a user needs to get to the internal NAS, no matter if they are on VPN or WAN for internet access.

It should be possible. You will need to create forwarding rules between the 2 lans and also the routes in the PBR

Ok, thx. I'll give it a try next week. When everyone is not at home