DNS leak with wireguard

Do you have a list of recommended packages for a beefy openwrt router. I run mine on a proxmox server with 32gigs of ram and 2.5gb ethernet.

What packages would i remove and replace with?

Thanks

I read this as:
You connected here (your vpn provider) with ip 172.69.133.63. Your dns requests from this address are being directed/resolved by ip 193.138.218.74 (exactly the dns server your config is set to use).

If 193.138.218.74 is not associated with your isp I don’t see a dns leak.

172.69.133.63 - Cloudflare

193.138.218.74 - Mullvad

It is more than the set of packages. You can activate many options that requires to build from sources. I am now using this build config:

CONFIG_DEVEL=y
CONFIG_BUSYBOX_CUSTOM=y
CONFIG_BUILD_LOG=y
CONFIG_BUSYBOX_CONFIG_FEATURE_DATE_NANO=y
CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVEHISTORY=y
CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVE_ON_EXIT=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_FLAGS=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_REGEXP=y
CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_WINCH=y
CONFIG_BUSYBOX_CONFIG_FEATURE_SYSLOG_INFO=y
CONFIG_BUSYBOX_CONFIG_FEATURE_TIMEZONE=y
CONFIG_BUSYBOX_DEFAULT_STAT=y
CONFIG_DEBUG=y
CONFIG_DROPBEAR_ECC=y
CONFIG_IMAGEOPT=y
CONFIG_INCLUDE_CONFIG=y
CONFIG_LIBCURL_COOKIES=y
CONFIG_LIBCURL_FILE=y
CONFIG_LIBCURL_FTP=y
CONFIG_LIBCURL_HTTP=y
CONFIG_LIBCURL_NGHTTP2=y
CONFIG_LIBCURL_NO_SMB="!"
CONFIG_LIBCURL_OPENSSL=y
CONFIG_LIBCURL_PROXY=y
# CONFIG_LUCI_JSMIN is not set
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_PREINITOPT=y
CONFIG_TARGET_PREINIT_TIMEOUT=5
# CONFIG_WPA_WOLFSSL is not set
# CONFIG_LUCI_CSSTIDY is not set

# CONFIG_PACKAGE_libustream-wolfssl is not set
# CONFIG_PACKAGE_libwolfssl is not set
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
CONFIG_PACKAGE_openssh-sftp-server=y
CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_6rd=y
CONFIG_PACKAGE_6to4=y
CONFIG_PACKAGE_auc=y
CONFIG_PACKAGE_blockd=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_ccrypt=y
CONFIG_PACKAGE_collectd-mod-conntrack=y
CONFIG_PACKAGE_collectd-mod-cpufreq=y
CONFIG_PACKAGE_collectd-mod-ipstatistics=y
CONFIG_PACKAGE_collectd-mod-ping=y
CONFIG_PACKAGE_collectd-mod-sqm=y
CONFIG_PACKAGE_collectd-mod-thermal=y
CONFIG_PACKAGE_collectd-mod-wireless=y
CONFIG_PACKAGE_cryptsetup=y
CONFIG_PACKAGE_curl=y
CONFIG_PACKAGE_ddns-scripts-noip=y
CONFIG_PACKAGE_diffutils=y
CONFIG_PACKAGE_e2fsprogs=y
CONFIG_PACKAGE_f2fs-tools=y
CONFIG_PACKAGE_gdbserver=y
CONFIG_PACKAGE_hostapd-utils=y
CONFIG_PACKAGE_htop=y
CONFIG_PACKAGE_ip6tables-mod-nat=y
CONFIG_PACKAGE_ip6tables-nft=y
CONFIG_PACKAGE_iperf3=y
CONFIG_PACKAGE_iptables-mod-extra=y
CONFIG_PACKAGE_irqbalance=y
CONFIG_PACKAGE_kmod-fs-cifs=y
CONFIG_PACKAGE_kmod-fs-exfat=y
CONFIG_PACKAGE_kmod-fs-ext4=y
CONFIG_PACKAGE_kmod-fs-f2fs=y
CONFIG_PACKAGE_kmod-fs-hfs=y
CONFIG_PACKAGE_kmod-fs-hfsplus=y
CONFIG_PACKAGE_kmod-fs-msdos=y
CONFIG_PACKAGE_kmod-fs-nfs-v3=y
CONFIG_PACKAGE_kmod-fs-nfs-v4=y
CONFIG_PACKAGE_kmod-nls-cp1250=y
CONFIG_PACKAGE_kmod-nls-cp850=y
CONFIG_PACKAGE_kmod-nls-iso8859-15=y
CONFIG_PACKAGE_kmod-usb-storage-uas=y
CONFIG_PACKAGE_luci-app-adblock=y
CONFIG_PACKAGE_luci-app-attendedsysupgrade=y
CONFIG_PACKAGE_luci-app-banip=y
CONFIG_PACKAGE_luci-app-bcp38=y
CONFIG_PACKAGE_luci-app-commands=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-nlbwmon=y
CONFIG_PACKAGE_luci-app-openvpn=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-statistics=y
CONFIG_PACKAGE_luci-app-ttyd=y
CONFIG_PACKAGE_luci-app-uhttpd=y
CONFIG_PACKAGE_luci-app-upnp=y
CONFIG_PACKAGE_luci-app-unbound=y
CONFIG_PACKAGE_luci-app-vnstat2=y
CONFIG_PACKAGE_luci-app-wireguard=y
CONFIG_PACKAGE_luci-ssl-openssl=y
CONFIG_PACKAGE_mc=y
CONFIG_PACKAGE_ncdu=y
CONFIG_PACKAGE_nfs-utils=y
CONFIG_PACKAGE_ntfs-3g=y
CONFIG_PACKAGE_openvpn-openssl=y
CONFIG_PACKAGE_patch=y
CONFIG_PACKAGE_ppp-mod-pptp=y
CONFIG_PACKAGE_tc-mod-iptables=y
CONFIG_PACKAGE_tcpdump-mini=y
CONFIG_PACKAGE_tor=y
CONFIG_PACKAGE_unbound-control=y
CONFIG_PACKAGE_odhcpd=y
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
# CONFIG_PACKAGE_dnsmasq is not set

CONFIG_PACKAGE_tree=y
CONFIG_PACKAGE_wget-ssl=y
CONFIG_PACKAGE_wpad-openssl=y

# CUSTOM PACKAGE SET: luci-theme-argon luci-app-argon-config
CONFIG_PACKAGE_luci-theme-argon=y
CONFIG_PACKAGE_luci-app-argon-config=y

# CUSTOM PACKAGE SET: nano-full
CONFIG_PACKAGE_nano-full=y

Just do not forget to do a make menuconfig and select your device.

If you are using the imagebuilder, you won't have the possibility of tweaking the openssl or busybox. But you will still be able to use almost all the features. The package list would be:

odhcpd -odhcpd-ipv6only luci-app-unbound unbound-control -dnsmasq openssh-sftp-server -libustream-wolfssl -libwolfssl -wpad-basic-wolfssl 6in4 6rd 6to4 auc blockd ca-certificates ccrypt collectd-mod-conntrack collectd-mod-cpufreq collectd-mod-ipstatistics collectd-mod-ping collectd-mod-sqm collectd-mod-thermal collectd-mod-wireless cryptsetup curl ddns-scripts-noip diffutils e2fsprogs f2fs-tools gdbserver hostapd-utils htop ip6tables-mod-nat ip6tables-nft iperf3 iptables-mod-extra irqbalance kmod-fs-cifs kmod-fs-exfat kmod-fs-ext4 kmod-fs-f2fs kmod-fs-hfs kmod-fs-hfsplus kmod-fs-msdos kmod-fs-nfs-v3 kmod-fs-nfs-v4 kmod-nls-cp1250 kmod-nls-cp850 kmod-nls-iso8859-15 kmod-usb-storage-uas luci-app-adblock luci-app-argon-config luci-app-attendedsysupgrade luci-app-banip luci-app-bcp38 luci-app-commands luci-app-ddns luci-app-nlbwmon luci-app-openvpn luci-app-sqm luci-app-statistics luci-app-ttyd luci-app-uhttpd luci-app-upnp luci-app-vnstat2 luci-app-wireguard luci-ssl-openssl luci-theme-argon mc nano-full ncdu nfs-utils ntfs-3g openvpn-openssl patch ppp-mod-pptp tc-mod-iptables tcpdump-mini tor tree wget-ssl wpad-openssl

Looks like an ISP / upstream peerdns setup. It takes over the entire downstream network's port 53 access and giving any server to nslookup reports a success ( even if the server doesn't exist ). dig to port 53 of any dns server will give the exact same result ( and will give a correct result even if the server is invalid ) , however dig to port 443 ( yes standard dns running on server's port 443 ) should give different results ( and will also timeout if the server is invalid ).

Connecting to the port 5353 or 443 of OpenDNS ( by forwarding local ( on computer ) port 53 to opendns port 443/5353 ) should report no leaks.

Yes, some iptables magic may be required both at router and PC end to remove the port 53 upstream peerdns takeover.

DNS leaks are a tricky thing. Some operating systems (like Windows 11) offer DoH services but occasionally devices and applications will still try to forcibly use various DNS providers depending on the device and application. To fix this, I had to spend a lot of time analyzing traffic and discover what was going on. For awhile, I ran my own private DNS server using Simple DNS (which can run locally on a windows workstation) and found that it was a great way to create firewall rules. However, when it came to lookups it was not using DoH and lookups could still be sniffed. When Cloudflare came out with 1.1.1.1 and DoH I was interested to see about using it for my entire network no matter the device. Even if you apply 1.1.1.1 as DNS on a device - if it isn't https it can be forwarded due to the protocol. SO - long story short, I ended up installing the dnscrypt-proxy2 package Installation on OpenWrt · DNSCrypt/dnscrypt-proxy Wiki (github.com) and set up DoH (DNS over Https) to 1.0.0.1 (Cloudflare DoH). There are multiple DoH providers out there that can be used. Afterwards, I then applied port forwarding firewall rules so that any traffic over ports 53 (and other common unencrypted DNS ports) would forward to the OpenWRT router providing DoH for the network. The bad thing about a VPN is that if you are using it you are at the mercy of the VPN provider and the connectivity of the local network - if your connection on the VPN drops or your wireless drops and reconnects and your VPN doesn't have a kill switch it will start hitting regular DNS if it isn't using the https protocol. https, by design, has security built in to the protocol so that it will not allow specific types of forwards or a redirect. That's right - you thought you were safe behind that VPN? Think again... Personally, I still run my own DNS and forward the lookups from SimpleDNS to my OpenWRT router so that I can monitor what hosts my Windows machines are trying to lookup and use it as a way to easily add approved sites to my whitelist. To make matters worse, if you're not randomizing your MAC address you can also be easily tracked when you're out and about. Another trick I implement is restricting the DNS provider on the WAN port - those also like to circumvent DNS and give your ISP an "In" to your DNS lookups.