Hello. I've set up wireguard on my OpenWRT and configure it to tunnel all traffic from a specific interface(for more details, read this post) and pass the other interface directly to the WAN.
When I connect to the AP using DHCP configuration on the client side, the DNS queries will resolve by the OpenWRT, not the client side (such as phone or laptop), unless I set a static DNS Server (like 1.1.1.1 in IPv4), then DNS queries also pass through the tunnel. because of this, by default, my DNS traffic directly passes through the WAN and I got the DNS Leak problem.
I looking for a solution to announce the OpenWRT to resolve DNS traffic also using the wireguard tunnel.
Use option 6 in the dhcp advanced configuration under the interface that goes tunneled to advertise the DNS that users should use directly instead of querying OpenWrt.
# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.family="ipv4"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart
I expected these commands will block all outgoing DNS traffic(tcp/udp 53), but nothing's happened. is it really use for block DNS traffic or what?
After a few days of experience, unfortunately it is NOT a reliable solution! I notice that in windows os, sometimes suddenly my DNS traffic leaked and returns filtered IP by ISP. but sometimes, not always!