DNS leak with a wireguard client

I have an OpenWrt 21.02.0 installation on a Raspberry Pi 4 Model B Rev 1.4. I have a wireguard client that connects to a VPN provider and am using VPN Policy Routing to tunnel LAN traffic through this wireguard client. All works fine except that I have a DNS leak. I have tried a number of changes but never have I been able to make my system use the DNS server advertised by the VPN provider. Any leak test always shows cloudflare servers which I have listed in the dnsmasq config. (/etc/config/dhcp)

I can see several people have pointed this issue out in the past and am wondering if there is a clear cut solution to this problem? Any help would be most appreciated.

1 Like

Have you put the SurfShark DNS severs they promote into you dnsmasq config?
I just pop in the server after killing my install of Stubby,,
I'm Green!

Going back to Stubby Now! (in the RED on cloudflare) :face_with_raised_eyebrow:

Yes, I can list my VPN provider's smart dns IPs in dnsmasq config and it seems to work in the sense that dns leak test does show these DNS servers. However, with this set up I still run into issues with Amazon Prime Video which can somehow detect I am connecting through a VPN. The only DNS server that works with Amazon Prime Video is the one that is dynamically pushed by the VPN service at the time the connection is established. But unfortunately, I can't get my openwrt setup to use that dynamic DNS.

Blocking the VPN providers IP isn't rocket science. Most streaming providers do it.

I think I should have been clearer in my previous post. What I am saying is that if I connect to the same vpn provider with the same vpn configuration directly from my ubuntu desktop, amazon prime video works flawlessly. In this case, a dns leak test shows the single vpn provider's dns server. However, with openwrt, the dns server pushed by the vpn provider is not used at all. A leak test shows the dns ips explicitly listed by me in /etc/config/dhcp and amazon prime refuses to stream.

You can prove your theory by replacing the dns ips in /etc/config/dhcp with your vpn provider recommended dns ip.
Disable peerdns in /etc/config/network option peerdns '0' and restart network. That should use the DNS Server from your provider, but policy-based-routing is your course ahead.