Hello, dear forum participants. I discovered a very interesting problem using a software traffic analyzer between the provider and OpenWRT. The problem is this: I used a VPN. Enabled killswitch by disabling traffic redirection from the local network to the global network. It would seem that in this case, the Internet connection from the local network to the global network should be completely disabled. However, the traffic analyzer (SmartSniff) shows a DNS leak from a client connected to the local OpenWRT port. At the same time, the VPN is disabled. How can this be? The Internet itself turns off when the VPN is disabled, but for some reason, DNS addresses are viewed during the analysis of data coming from the local network, at the moment when you log into the browser on the client and open the website. However, if you run an online data leak check through the VPN installed in OpenWRT, there will be no leaks. However, there is a leak between OpenWRT and my ISP, which cannot occur if the LAN is completely disconnected from the WAN. It turns out that only TCP traffic is disabled? But does DNS (UDP) still work? If you look at the analysis of the traffic analyzer, it turns out that when forwarding from LAN to WAN is disabled, there is no traffic, but UDP (port 53) is clearly visible, through which DNS addresses are transmitted from the local machine to the LAN port, after which they are somehow transmitted to the WAN port, through which the analyzer sees them.. movement.. The analyzer reliably sees which sites I access outside the global network. The site itself does not open, everything is clear here, as it should be when forwarding is disabled, but DNS addresses should not be transmitted either. How can this be? Is there a way out? Perhaps I need to configure the firewall correctly? Why is UDP not blocked when forwarding from the local network to the global network is disabled? Thanks a lot in advance for the answers!
This is not direct lan=>wan communication, which is prohibited by a rule in the forward chain.
In your case, a LAN client initiates a DNS request to the router (allowed), and then the router initiates another request to the ISP's DNS server (also allowed).
You can block these requests by creating a rule in the output firewall chain or by changing the OpenWrt DNS configuration.
@Sergii
be warned ...
if your VPN endpoint is based on FQDN (my.vpn.com for ex), and you start thinkering with DNS to stop DNS requests from router itself, you will easy get in trouble that OWRT router could not find DNS for VPN
chicken/egg problem
no DNS vithout VPN, no VPN without DNS
Some info about DNS leak and ways to mitigate it:
Thanks for the wonderful reply. Can any knowledgeable people tell me how to disable this DNS leak phenomenon? I tried without a VPN, I just used OpenWRT as a regular router, when I disable redirection from the LAN to the global network, all traffic stops being listened to by the packet analyzer on the router's WAN port, and this is fine, however DNS (UDP) is being listened to, it turns out that DNS traffic connecting to the LAN is not disconnects from the global network when killswitch is enabled if the audit is performed without using a VPN. I thought that with killswitch enabled, traffic over all protocols should be completely blocked. Is it possible to completely disable traffic when killswitch is enabled? In OpenWRT DNS, packets are successfully listened to via the WAN port, which should not be the case when killswitch is enabled. We are not talking about DNS leaks that end up on the server you are on, no, there were no problems with this during testing. We are talking about DNS leaks that are reliably transmitted to the provider... When the disconnect switch is off, my provider's DNS packets are not being listened to, if you look at DNSLeakTest, everything is set up well here, DNS packets are also not being listened to between the provider and the global network. But when the disconnect switch is turned on, DNS relay from the local network to the global network is turned on, and DNS packets start listening between my ISP and WAN OpenWRT. When killswitch is enabled, there is no internet connection, but DNS is enabled, which listens for a connection on the other end of the router's line (WAN port). Can you give an example of how to disable DNS when killswitch is enabled? When the VPN is turned on, DNS is used by the VPN provider, there are no leaks, DNS packets are not listened to on the WAN port, however, when you turn on the kill switch, DNS turns on and begins to be transmitted and monitored on the WAN port, that is, everything is fine. everything is disabled except UDP, through which DNS passes, and this is very bad. Please help with examples of how to set up the rule so that when the kill switch is turned on, DNS is completely disconnected from the WAN or LAN. Thank you for your answers!
I went to the local computer and entered "YouTube" in the address bar. This computer is connected to the LAN port of the OpenWRT router. Killswitch is enabled on OpenWRT (forwarding from LAN to WAN is disabled). After that, I went to look at the traffic at the output of the OpenWRT WAN port
I went into the traffic sniffer (traffic analyzer) which is connected to the WAN port of the OpenWRT router. When opening any site on the client computer - DNS passes through the killswitch and is observed on the side of the WAN port of the OpenWRT router, which should not be.
Hardware configuration: The computer is connected to the LAN port of the OpenWRT router. The traffic analyzer acts as an intermediary between the OpenWRT router and the home Internet provider. This "man in the middle" (traffic sniffer) detects DNS queries in the router's WAN port, which should not be the case when "killswitch" is enabled. They say that with killswitch enabled, all problems with leaks are solved, but in practice this is not the case. If we connect a traffic sniffer to the router's WAN port, we can detect a DNS leak to our provider. We are talking about a DNS leak between the provider and the OpenWRT router. We are not talking about a leak between the VPN and the server on which the user resides. How can I make sure that when killswitch is turned on, the UDP protocol (DNS) is also turned off? Maybe there is an example to understand? Thanks!
Yes this is the normal behaviour and already explained by @pavelgl
Your clients can resolve the dns but there is no traffic from your clients to that ip address possible because of the killswitch.
If that is problematic for you then use one of the ways I describe.
That's right, the traffic is not working, as forwarding from LAN to WAN is disabled. No site opens when forwarding is disabled, but DNS passes from the LAN to the WAN port of the OpenWRT router and is detected. I would like to make sure that when LAN-WAN forwarding is turned off, DNS is also blocked. Otherwise, my provider will see which site was "clicked" - and this is no longer confidential. It turns out that killswitch only protects against VPN breakage. But when the VPN is turned off and kill switch is turned on, DNS leaks into the provider's network. Thanks for the information, I will try to work with the rules.
Thanks, I'm familiar with this. When DNS is completely disabled, I use the endpoint's IP address and port. The same goes for time synchronization, if DNS is excluded, then time synchronization cannot find DNS and the time gets lost. However, if you enter its IP address instead of the domain name (time server), the problem is solved. But this is not the way out. Can you tell me if there is any way to set up your own personal DNS server and set it to time synchronization? For example, I have a time server 0.openwrt.pool.ntp.org I want to assign DNS 1.1.1.1 to it so that the connection does not depend on the DNS settings that are hanging on the WAN port (for example, it does not depend on my isp's DNS if I disable it). Is there a solution? Is there any way to assign a 1.1.1.1 DNS address to the time synchronization client? Only the client, that is, only the client of the time will have to use DNS 1.1.1.1, everything else is the DNS provider (let's assume), thank you!
Thanks for the reply. If you speak Russian, is there any way I can contact you via telegram? Through the translator, my thought can break down. I promise a reward for your help, I understand that no one will just waste their time, I will be grateful in return. I would appreciate it if DNS could be disabled automatically when KillSwitch mode is enabled (or LAN-to-WAN forwarding is disabled). Since DNS leaks to my ISP, they greatly spoil the privacy picture. I rarely use VPN, only when I need to watch YouTube. However, when I turn off the VPN (exclude it from the OpenWRT interface), I see DNS appearing on the OpenWRT WAN port. I can cover them up by going into the WAN interface settings and entering 127.0.0.1 in the DNS field. In this case, leaks from the WAN port are closed, but in this case, the built-in time synchronization client on OpenWRT stops working because DNS is missing. As I understand it, your suggestion can solve this problem? Thank you.
I speak Russian, but I understand what you want and I don't think communicating in your language will bring any benefit.
Then disable all upstream DNS servers and set only the DNS server provided by your VPN provider (replace 10.9.8.1 with the correct address). Also, set Cloudflare DNS to be used for ntp queries.
uci set dhcp.@dnsmasq[0].noresolv='1'
uci add_list dhcp.@dnsmasq[0].server='10.9.8.1' # Set the correct VPN DNS server here
uci add_list dhcp.@dnsmasq[0].server='/0.openwrt.pool.ntp.org/1.1.1.1'
uci commit dhcp
service dnsmasq restart
Since you have a kill switch, I presume the vpn interface is assigned to a dedicated firewall zone. Just in case, block all DNS requests originating from the wan zone, except those directed to Cloudflare.
uci add firewall rule
uci set firewall.@rule[-1].name='Forbid-WAN-DNS'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].dest_ip='!1.1.1.1'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart
This should cover your requirements.
Thank you for the information provided! We will try to conduct an audit on the new settings. Thank you.
Thank you, everything worked out, with the kill switch enabled - DNS addresses in the WAN port of the OpenWRT router are not listened to. Only DNS time synchronization is listened to, but this is normal, it cannot be otherwise with LAN to WAN forwarding disabled. It was useful to know how to assign personal DNS addresses for time synchronization, this saved the situation. Thank you.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.