Hello, I have a router where the WAN is set as the default gateway. I also have a VPN client interface and VLANs that I route exclusively through the VPN using policy-based routing. I want to use https-dns-proxy, but it's currently using the IP address of the WAN interface instead of the VPN interface's IP address. This happens because the WAN is the default gateway. Is there a way to change this behavior without changing the default gateway? I want all DNS traffic to be resolved using the IP address of the VPN. Thanks.
With PBR rules you can use domain based routing to route a domain (e.g. your DNS servers address) via the VPN.
Note as the traffic comes from the router you need to use the OUTPUT chain instead of the default PREROUTING chain.
For other options you can look into using Split DNS see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#policy-based-routing
But if I do that, I wouldn't be using https-dns-proxy and would just be using plain text DNS, right? Is there a better or easier option? Maybe something like binding a network to dnsmasq?(if that exists)
The reason the WAN interface needs to remain the default gateway is that dynamic DNS with a bind network (want wan) doesn't work properly when the VPN is set as the default gateway. (it just doesn't work.) Probably because of pbr?
No, you just send traffic to your DoH resolver via the VPN instead of via the WAN.
Take cloudflare with its URL of https://dns.cloudflare.com/dns-query then you use the domain dns.cloudflare.com to route via the VPN
At least that is the theory 
Oh, I wanted to use adblock-lean, but I guess it doesn't have a domain for DNS, right? Is there a way I can use adblock-lean in that theory? Sorry should have mentioned earlier.
I do not use that (I use Adblock) but what has that to do with DNS resolving via WAN or VPN (other then blocking DNS adresses?)
Well, I can't use domain-based DNS routing in PBR if adblock-fast, adblock-lean, and adblock don't have a domain because they use dnsmasq on the router, right? I am assuming the pbr rule overrides adblock?
Sure you can do that I also have Adblock and I am using https-dns proxy and I am using PBR with domain based routing.
It works like this DNSmasq is your DNS resolver, Adblock makes a list of domains which are blocked in DNSMasq,
HTTPS-DNS proxy is the upstream resolver for DNSMasq
Okay, so let's assume I create a PBR DNS domain rule where I assign Cloudflare DNS to the VPN interface. Would I still have adblock then? And would it use https-dns-proxy or just PBR's own DNS handling? I think I might be confusing things.
Sure
What you want, if you want secure DNS then use https DNS proxy that is just the upstream resolver for DNSMasq.
If you want to have DNS resolution via the VPN then use PBR to make the DNS servers, which are used by https-dns proxy e.g. cloudflare, to route via the VPN
Oh, so I essentially force the entire domain to be routed through the VPN, which makes https-dns-proxy follow that rule. I wasn't aware you could do that. Thank you for the help; I'll give it a try!
Exactly.
Note that if you have IPv6 implemented on your router your VPN should also be able to handle IPv6 because IPv6 is usually preferred.
I did a quick test with the default https servers (cloudflare and google):
That appears to work as checked with traceroute from the router
I've tried the same setup, but unfortunately, it didn't work for me. I installed the latest version of PBR from the repository, along with dnsmasq-full, and configured it to use dnsmasq nft set thing. However, the rules I set up were completely ignored. I experimented with prerouting and output, but the dns resolution still pointed to WAN instead of the selected VPN. In https-dns-proxy, I used cloudflare-dns.com and created a domain rule in PBR, but it didn't function as expected. Is there something I might have overlooked in the PBR configuration? Ultimately, the client ended up resolving DNS through the WAN.
It works for me.
I use https DNS proxy with cloudflare and google:
config https-dns-proxy
option bootstrap_dns '8.8.8.8,8.8.4.4'
option resolver_url 'https://dns.google/dns-query'
option listen_addr '127.0.0.1'
option listen_port '5054'
option user 'nobody'
option group 'nogroup'
config https-dns-proxy
option bootstrap_dns '1.1.1.1,1.0.0.1'
option resolver_url 'https://cloudflare-dns.com/dns-query'
option listen_addr '127.0.0.1'
option listen_port '5053'
option user 'nobody'
option group 'nogroup'
I use this PBR policy to route the domains used by cloudflare and google to route via the VPN:
config policy
option name 'https-dns-proxy'
option dest_addr 'cloudflare-dns.com dns.google'
option chain 'output'
option interface 'wg_mullv_se'
The way the domains are resolved via bootstrap might prevent DNSMasq from resolving the address so to make sure the nft set is filled, so do from command line:
nslookup cloudflare-dns.com
nslookup dns.google
check if the nft set is filled nft list ruleset in my case it looks like:
set pbr_wg_mullv_se_4_dst_ip_cfg136ff5 {
type ipv4_addr
flags interval
auto-merge
comment "https-dns-proxy"
elements = { 8.8.4.4, 8.8.8.8,
104.16.248.249, 104.16.249.249 }
}
set pbr_wg_mullv_se_6_dst_ip_cfg136ff5 {
type ipv6_addr
flags interval
auto-merge
comment "https-dns-proxy"
elements = { 2001:4860:4860::8844,
2001:4860:4860::8888,
2606:4700::6810:f8f9,
2606:4700::6810:f9f9 }
}