Does dnsmasq go through WireGuard tunnel?

jfl · April 11, 2023, 2:46pm

I have set up my OpenWrt to use Mullvad VPN via WireGuard. Using pbr to selectively route some LAN computers to VPN and some to WAN.

Most guides suggest advertise custom DNS servers to LAN computers. I didn't do that, because I like having dnsmasq resolving my device names. So my LAN computers (10.8.x.x) are using 10.8.1.1 for DNS. My OpenWrt's WAN interface uses 1.1.1.1 as DNS.

A few questions:

I am surprised to find that traceroute to 1.1.1.1 from the router goes through the VPN tunnel (which is good). My assumption was that only (some) LAN computers route to VPN. Does that mean DNS resolution via dnsmasq actually goes VPN tunnel?
If dnsmasq routes through the tunnel, aren't my DNS queries privacy protected? Why do I need to advertise custom DNS servers for LAN computers?
Any reason I should use Mullvad DNS servers instead of 1.1.1.1 as my upstream DNS?

I understand that if my VPN tunnel goes down, I would experience DNS leak, which I do not mind. Here are some of my configurations:

network (partial):

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.0.0'
        option ipaddr '10.8.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'WGVPN1'
        option proto 'wireguard'
        option private_key '...'
        list addresses '10.66.113.240/32'
        option force_link '1'

config wireguard_WGVPN1
        option description 'US247 Virginia'
        option public_key '...'
        option endpoint_host '198.54.135.66'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

dhcp (partial):

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '2560'
        option limit '200'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

lleachii · April 11, 2023, 3:08pm

If you have traffic set to use VPN, then your DNS resolver (also a part of your network) will use it too.

If you trust the VPN provider - yes. FYI, they're not encryped via DoT or DoH - unless you set that up.

This is usually needed if additional DNS resolution IPs listed on the WAN interface; but you stated that you only have 1.1.1.1 configured.

Feel free to use them if you trust Mullvad's DNS instead of Cloudflare's.

jfl · April 12, 2023, 3:00am

Thanks. Concise and to the point.

system · April 22, 2023, 3:00am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.