Dns hidden only by wireguard

Installing and Using OpenWrt Network and Wireless Configuration
1

HI,

I use dnsproxy, before that I used dnscrypt-proxy2 but on some dns check websites I am ok but with one site, I see my isp dns at the top and under that, we can see all my dns from dnsproxy, so I tried everything, but I can still see my isp dns. So now I configured wireguard and now I see my surfshark dns servers instead of isp. Why I need to use wireguard if I want to hide my isp dns?
thanks

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '9.9.9.9'
        list dns '1.1.1.1'
        option metric '5'


root@OpenWrt:~# 


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        list server '127.0.0.1#5353'
        option ednspacket_max '1232'
        option noresolv '1'
        list addnmount '/bin/busybox'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

root@OpenWrt:~# 


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option family 'any'
        option proto 'tcp udp'
        option src 'lan'
        option src_dport '53'
        option target 'DNAT'

config rule 'dot_fwd'
        option name 'Deny-DoT'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

root@OpenWrt:~#
2

You don't. Can you show your network configurations woth DNS settings?

I see you edited your post.

And the issue is with proxy software installed?

There must be another config somewhere.

Do you have another Internet connection?

1 Like
3

also, I tried https-dns-proxy app, it was the same

4

I'm asking what happens without extra software installed - and only using the Quad9 and CloudFlare DNS on WAN?

If you've done that already, it seems your ISP may intercept unencrypted DNS inquires.

Is there another DHCP Server on your network?

Also, I asked:

5

I could see that in DNS Forwards in DHCP for exemple?

6

I'm asking these questions because you have non default configurations. You should know the answers to these questions.

7

cause I had wireguard too, metric was 5 in wan and 10 in wireguard setup. I removed wireguard just for now during that post

8

screenshot-2024-12-10-13-22-34
screenshot-2024-12-10-13-22-34890×410 44 KB

9

if I disable dnsproxy, and keep my dns that I added in wan, and uncheck Ignore resolv file I see my isp dns and 9.9.9.9, 1.1.1.1.

Also, I did set up the DNS hijacking

10
  • Ummm, you cannot over metric the actual PHY connection Wireguard uses...but OK.
  • Secondly, I'm not sure why you made these non default configuration changes and are asking for assistance

If you need to test your WAN DNS doesn't leak:

  • rest to default - default image (i.e., no extra software needed)
  • edit WAN interface
    • uncheck "Use DNS servers advertised by peer"
    • add 9.9.9.9 and 1.1.1.1
  • If you have IPv6, make similar configurations for the LAN IPv6 setings to ensure your ISPs server isn't used from the upstream announcement
  • save & apply
  • https://dnsleaktest.com

I suggest uninstalling, but OK.

Hijacked, to where?

11

[quote="PerkelSimon, post:1, topic:218030"]

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option family 'any'
        option proto 'tcp udp'
        option src 'lan'
        option src_dport '53'
        option target 'DNAT'
12

on that site, [https://dnsleaktest.com] it does not leak but on this one yes ; https://browserleaks.com/dns

13

anyway, if we only had to add this to wan to hide isp dns, why we use many other things, like https-dns-proxy, dnsproxy, dnscrypt, stubby, unbound etc....

14

I don't. I don't experience DNS leaks on either site. I only see the DNS providers I listed on WAN.

I provided one possible reason for your issue:

Another idea was you didn't change the WAN6 settings as well:

That's the only config needed (plus IPv6 too) to change what DNS servers are used.

1 Like
15

I only have ipv4 addressand disabled ipv6 but I dont have any ipv6 address.

1 Like
16
  • ifstatus wan
    • verify that only your "dns-servers" (9.9.9.9 and 1.1.1.1) are listed; and
    • that the ISP's dns-servers are under "inactive"
  • ifstatus wan6
    • verify there's no dns-servers listed (and no address, no prefix, etc.)
    • check inactive as well
17

screenshot-2024-12-10-13-57-45
screenshot-2024-12-10-13-57-15

18

Not what I asked for (but helpful), which made me notice this:

Do you still have PBR configs?

Also:

screen902

  • What's running at 5353/udp - and what DNS servers did you configure on that software?
  • Have you returned this config to default when testing?
19

yes still when I use wg.

What's running at 5353/udp - and what DNS servers did you configure on that software?

it is dnsproxy, I use quad9 and cloudflare too

root@OpenWrt:~# cat /etc/config/dnsproxy

# For documents, please see https://github.com/AdguardTeam/dnsproxy#usage

config dnsproxy 'global'
        option enabled '1'
        list listen_addr '127.0.0.1'
#       list listen_addr '::1'
        list listen_port '5353'
        option log_file ''
        option http3 '1'
        option insecure '0'
        option ipv6_disabled '1'
        option timeout ''
        option max_go_routines ''
        option rate_limit ''
        option refuse_any '0'
        option udp_buf_size ''
        option upstream_mode ''
        option verbose '0'

config dnsproxy 'bogus_nxdomain'
        list ip_addr ''

config dnsproxy 'cache'
        option enabled '1'
        option cache_optimistic '1'
        option size '6553500'
        option min_ttl ''
        option max_ttl ''

config dnsproxy 'dns64'
        option enabled '0'
        option dns64_prefix '64:ff9b::'

config dnsproxy 'edns'
        option enabled '0'
        option edns_addr ''

config dnsproxy 'hosts'
        option enabled '0'
        list hosts_files ''

config dnsproxy 'private_rdns'
        option enabled '0'
        list upstream '127.0.0.1:53'

config dnsproxy 'servers'
list bootstrap '1.1.1.1:53'
        list fallback 'https://dns.cloudflare.com/dns-query'
        list upstream 'h3://security.Cloudflare-dns.com/dns-query'
        list upstream 'https://dns9.quad9.net/dns-query'

config dnsproxy 'tls'
        option enabled '0'
        option tls_crt ''
        option tls_key ''
        option https_port '8443'
        option tls_port '853'
        option quic_port '853'
root@OpenWrt:~#
20

did you uncheck that ; Ignore resolv file

and I verified with my isp and they dont offer the ipv6 yet anyway in my area