in that case, is DoH (I believe they call it Secure DNS) enabled in you browser ?
No, it isn't, but not needed for this device either as a client side VPN is in use most of the time except for scenarios where it might hinder network analysis.
And testing with dnsleaktest.com or dnscheck.tools still shows ISP DNS?
It does indeed chap. I rebooted the router just to make sure the changes from the command line was indeed operating as it should and when I consulted dnsleaktest.com it still showed that Zen (my ISP) was handling my DNS queries. Zen says they can't give me help, because I am not using their hardware.
they would say the same even if you used their hardware....
and what upstream DNSes are you using now ?
If you install bind-dig
on the router and run this command, do you get any output?
dig +short txt id.server.on.quad9.net @9.9.9.9
Then in a browser, test with:
https://on.quad9.net/
My configuration stayed the same. My OpenWRT overview page shows that Quad 9 is set as my IPv4 upstream server and that IPv6 upstream servers are set to Quad 9 too, but also the ISP's DNS servers for some reason, although lower down in the pecking order.
there's also https://restoreprivacy.com/webrtc-leaks/, don't know if it applies here though, but it might be something the leak testers test for, they're all (most of them anyway) selling VPN tunnels
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Isn't dnsleaktest doing a rDNS lookup on your IP address? In which case, I would expect Zen to handle it unless they have delegated it to you.
They are making the browser query one of their domains and they monitor from which resolver came the query to their authoritative nameserver.
I do get a response. Here it is:
res300.man.on.quad9.net
Interesting. Here is my output from that command:
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
-ash: uci: not found
-ash: uci: not found
-ash: ls: not found
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.ppp <==
nameserver 212.23.3.100
nameserver 212.23.6.100
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 9.9.9.9
nameserver 149.112.112.112
# Interface wan6
nameserver 2620:fe::fe
nameserver 2620:fe::9
It would seem that there is a resolv.conf.ppp file in the tmp directory. Is it editable or does it automatically get generated when the PPPoE connection is established?
Make sure there are no trailing spaces after the \
character at the end of each line. Or run each command individually without the ; \
at the end.
Done. Here is the output:
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd84:9078:821d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ethtool_opts 'rx-usecs 0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '48'
option defaultroute '0'
list ip6class 'local'
config interface 'wan'
option proto 'pppoe'
option device 'eth1.911'
option username 'redacted'
option password 'redacted'
option delegate '0'
option ethtool_opts 'rx-usecs 0'
option ipv6 '1'
option dns_metric '0'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqaddress 'try'
option reqprefix '64'
option sourcefilter '0'
option ip6assign '48'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option dns_metric '0'
option delegate '0'
option peerdns '0'
config device
option type '8021q'
option ifname 'eth1'
option vid '911'
option name 'eth1.911'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option cachesize '500'
option nonegcache '1'
list server '9.9.9.9'
list server '149.112.112.112'
list server '2620:fe::fe'
list server '2620:fe::9'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host (Redacted)
lrwxrwxrwx 1 root root 16 Apr 27 21:28 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 May 3 15:55 /tmp/resolv.conf
-rw-r--r-- 1 root root 124 May 3 15:54 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 48 May 3 15:54 /tmp/resolv.conf.ppp
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 124 May 3 15:54 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.ppp <==
nameserver 212.23.3.100
nameserver 212.23.6.100
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 9.9.9.9
nameserver 149.112.112.112
# Interface wan6
nameserver 2620:fe::fe
nameserver 2620:fe::9
Please copy paste text, not images.
As far as OpenWrt is concerned, it is using the nameservers you have configured.
The message was updated.
Remove these from lan interface.
Also ip6assign can be something realistic, like 60.
remove these from wan6. Make option reqprefix '64'
into auto.
Okay. I have restarted the router after amending the network file to look like this:
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqaddress 'try'
option reqprefix 'auto'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option dns_metric '0'
option peerdns '0'
Did the extra IPv6 ISP DNS entries disappear in the LuCI overview page?