I have set up Stubby which seems to work.
But when I try with ipleak.com or dnsleaktest.com
I see both DNS from ISP provider and VPN provider.
DNS forward is set: 127.0.0.1#5453 and 0::1#5453
and "Ignore resolv file" is checked.
Must have missed something, any tips?
I'm using stubby and my config looks like this:
network.wan.peerdns=0
network.wan.dns=127.0.0.1
network.wan6.peerdns=0
network.wan6.dns=0::1
dhcp.@dnsmasq[0].dnssec=1
dhcp.@dnsmasq[0].dnsseccheckunsigned=1
dhcp.@dnsmasq[0].noresolv=1
dhcp.@dnsmasq[0].localuse=0
dhcp.@dnsmasq[0].server=127.0.0.1#5453 0::1#5453
To compare your current configuration run this:
echo "network.wan.peerdns=$(uci get network.wan.peerdns)"
echo "network.wan.dns=$(uci get network.wan.dns)"
echo "network.wan6.peerdns=$(uci get network.wan6.peerdns)"
echo "network.wan6.dns=$(uci get network.wan6.dns)"
echo
echo "dhcp.@dnsmasq[0].dnssec=$(uci get dhcp.@dnsmasq[0].dnssec)"
echo "dhcp.@dnsmasq[0].dnsseccheckunsigned=$(uci get dhcp.@dnsmasq[0].dnsseccheckunsigned)"
echo "dhcp.@dnsmasq[0].noresolv=$(uci get dhcp.@dnsmasq[0].noresolv)"
echo "dhcp.@dnsmasq[0].localuse=$(uci get dhcp.@dnsmasq[0].localuse)"
echo "dhcp.@dnsmasq[0].server=$(uci get dhcp.@dnsmasq[0].server)"
I don't use my VPN provider's DNS and settled for Cloudfare's DNS over TLS (DoT).
I doubt its the reason for your issue but nevertheless fix the IPv6 listen address please.
IPv6 localhost is ::1, yes yes even the leading zero will probably (or hopefully) not hurt. But you never know how some programs parses the input .
I don't have an issue with Stubby 
, I think you were directing your post to @octopus ?
Anyway when I originally setup Stubby I just followed the instructions:
here, and here.
Oh yes sorry.
I have tested and not seems to working.
I use this:
Name: Intercept-DNS
Restrict to address family: IPv4 and IPv6
Protocol: TCP, UDP
Source zone: lan
External port: 53
Destination zone: unspecified
Internal IP address: any
Internal port: any
I get "DNS over TLS" dns to my vpn and wireguard.
I want vpn and wireguard for vpn-provider goes in tunnel
and all LAN through "DNS over TLS" tunnel.
I'm also using PBR
I don't use PBR.
If you only have a few devices you want to use the VPN DNS for, this firewall Port Forward redirect may help.
e.g. 1x device, using the source MAC address to use VPN DNS, all other devices using Cloudfare DOT.
You can add more devices using the same rule through the GUI.
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option name 'Intercept-DNS-PIA'
option dest_ip '10.0.0.243'
list src_mac '94:XX:XX:XX:XX:XX'
Have tried a bit and can't get WAN and VPN provider to work together.
I can see WAN (cleanbrowsing.org) dns in VPN DNS clients.
Have configured Stubby with "security-filter-dns.cleanbrowsing.org" for testing, Stubby is connected.
config stubby 'global'
option manual '0'
option trigger 'wan'
list dns_transport 'GETDNS_TRANSPORT_TLS'
option tls_authentication '1'
option tls_query_padding_blocksize '128'
option appdata_dir '/var/lib/stubby'
option edns_client_subnet_private '1'
option idle_timeout '10000'
option round_robin_upstreams '1'
list listen_address '127.0.0.1@5453'
list listen_address '0::1@5453'
option log_level '3'
config resolver
option address '185.228.168.9'
option tls_auth_name "security-filter-dns.cleanbrowsing.org"
config resolver
option address '185.228.169.9'
option tls_auth_name "security-filter-dns.cleanbrowsing.org"
config resolver
option address 2a0d:2a00:1::2
option tls_auth_name "security-filter-dns.cleanbrowsing.org"
config resolver
option address 2a0d:2a00:2::2
option tls_auth_name "security-filter-dns.cleanbrowsing.org"
I'm not sure if this does what is says?
Override preconfigured DNS provider for LAN clients.
Prevent DNS leaks for LAN clients when using VPN or DNS encryption.
Name: Intercept-DNS
Restrict to address family: IPv4 and IPv6
Protocol: TCP, UDP
Source zone: lan
External port: 53
Destination zone: unspecified
Internal IP address: any
Internal port: any
OK so the Stubby side of things are working now.
Have you tried the firewall redirect I posted above?
If your VPN supports IPv6 you'll need to create an additional rule to cover IPv6 protocol and DNS address.
for e.g. ...
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option name 'Intercept-DNS-VPN-v4'
option dest_ip 'insert VPN IPv4 DNS address' <=====
list src_mac 'XX:XX:XX:XX:XX:XX' <=====
option family 'ipv4' <=====
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option name 'Intercept-DNS-VPN-v6'
option dest_ip 'insert VPN IPv6 DNS address' <=====
list src_mac 'XX:XX:XX:XX:XX:XX' <=====
option family 'ipv6' <=====
Or you may be able to use PBR for your VPN DNS?
If so, someone else would need to help, as I don't use PBR.
Thanks for your answer.
I have tested what you suggested and I can't get it to work.
All tests get both dns, from vpn-dns and DOT dns servers.
Tested both Intercept-DNS and Intercept-DNS-PIA config with same result.
I'm using EGC's script to get pushed dns from vpn-provider and for wireguard have dns set in "Use custom DNS servers"
The goal is to get dns from vpn-provider only uses by vpn and wireguard.
DNS from the internet provider only used by wan clients to wan .
ISP DNS is only used by wan clients to wan via DOT.
@egc
Do you have any suggestions?