Getting DNS Requests to be sent through WireGuard

My OpenWRT router is connected to a WireGuard VPN server, which also provides its own DNS. In my router DHCP options under LAN I have set it to advertise the DNS "10.64.0.1" since that is the DNS server provided by the VPN, however for some reason when I do a test at https://dnsleaktest.com , it does not go through VPN DNS servers. For some odd reason, even if I manually in my phone or computer's settings, change the DNS to 10.64.0.1 and then do another DNS leak test, it still shows my non-VPN DNS.

I noticed when I test this on any Apple device like an iPhone, the DNS goes through VPN DNS, however when I test on an Android device it goes through the regular DNS sserver. Could this be related to the fact that the router also provides DNS through its IPv6 (starting with fd) IP, even though my ISP doesn't support IPv6, and some difference in handling IPv6 causes this? Is the solution to disable listening for DNS requests on IPv6?

I'm also not sure where is even the correct place to set a DNS (I want to set it per my LAN interface, not WAN, for example I want the router itself to use DNS 1.2.3.4, but devices connected to LAN to use 10.64.0.1), is it in Network > Interfaces > LAN > Settings > DHCP Server > Advanced Settings > and putting "6,10.64.0.1 (10.64.0.1 is the DNS IP) , or is it in Network > Interfaces > LAN > Settings Use Custom DNS Servers? Or should I put it in both? I also see Network > DHCP and DNS > DNS Forwardings , I'm confused about seeing what looks like the same option 3 times, but there must be a difference?

When I only add it to DHCP Options, the VPN DNS works on Apple devices but not others, but when I add it to "Use Custom DNS Servers" , the VPN DNS works on other devices, but for some reason it is still using the regular DNS alongside the VPN DNS

The "regular" DNS on the android phone that shows up on dns leak test, is it the google dns (8.8.8.8/8.8.4.4)?

1 Like

No, it is the DNS that I have configured OpenWRT to use in the WAN settings , it's my DNS server which runs on a VPS

By default the local dnsmasq instance is used for outgoing dns requests on the router.
You can change that with:

option localuse '0 (1 use dnsmasq instance on the router itself, 0 = don't use it)

in /etc/config/dhcp
for each dnsmasq instance.

What is the output of
cat /tmp/resolv.conf ?

And when you do an nslookup on the router, what dns server is used?

Your setup should work.
The DNS Server you set on the WAN Interface should be used on the router itself.
But dnsmasq will use the DNS servers from any upstream interface (like WAN).
To stop that use option noresolv '1'

Don't setup any dns servers on the lan interface.
Better set them up in /etc/config/dhcp with

	list server 'IP of DNS Server 1'
	list server 'IP of DNS Server 2'

If you want to use different DNS Servers per interface create a new dnsmasq instance.
Add the DNS Servers you want to use via list server option as shown above.
Make sure all instances are bound to the correct interface via

 	list interface 'interface name'

In /etc/config/dhcp

Yes could be possible that the android phone uses/prefers the DNS
that reachable under the IPv6 address.
But if have no clue how to stop openwrt from advertising the routers ULA IPv6 as DNS.
You could block/reject DNS requests that are coming over an IPv6 address.

The output of /tmp/resolv.conf is:

search lan
nameserver 127.0.0.1

But there is also /tmp/resolv.conf.auto file which has output of:

# Interface LAN2
nameserver 10.64.0.1
# Interface wan
nameserver (My VPS Server DNS IP)

When I do an nslookup while SSHed into the router, it seems to be using the local DNS server as well.

root@OpenWrt:~# nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: google.com
Address 1: 172.217.13.78
Address 2: 2607:f8b0:4004:808::200e

Also I was wondering if this looks valid, and whether "list dhcp_option '6,(DNS IP)' " is the same thing as "list server '(DNS IP)'?

config dhcp 'LAN1'
        option leasetime '24h'
        option interface 'LAN1'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'
        option start '2'
        option limit '150'
        list server '10.64.0.1'

Is there perhaps also a firewall rule I could issue that hijacks all DNS traffic on a specific subnet/interface and sends it to the VPN DNS, would this work?

iptables -t nat -A PREROUTING -s 192.168.10.0/23 -p udp --dport 53 -j DNAT --to 10.64.0.1

//edit
Forget what I wrote in my earlier post.
localuse is set to one 1 by default (noresolv != 1)

Looks like your router uses your dnsmasq instance to resolve hostnames.
Does this file change when you set option localuse '0' or option noresolv '1' ?
I also think noresolv overwrites localuse, so you maybe have to use noresolv 1 only.

This is expected, this file is auto-generated by dnsmasq.
It collects (all?) dns servers it can find on any interface.
Then uses those servers to resolve hostnames.
As I wrote earlier, you can change this with option noresolv '1'

Yes, it should work...
Is 192.168.10.0/23 your local network?
But you also need one for IPv6? To stop the android phone(s) from using your local dnsmasq instance.
Also when your wireguard connection goes down, DNS resolution will fail and your dnsmasq instance (atleast for IPv4) will not be used.

Oddly the output of /tmp/resolv.conf doesn't change even after changing both of those settings, and when I perform a nslookup the DNS address still shows as 127.0.0.1

192.168.10.0/23 is the local network assigned to the Wi-Fi devices VLAN (which is routed through WG), and for IPv6 I was thinking of using

ip6tables -I FORWARD --destination fd06:a31e:c295:10::1 -j REJECT

(fd06:a31e:c295:10::1 being the IPv6 address of the router) but I realized that this would block all IPv6 traffic to the router, maybe destination fd06:a31e:c295:10::1 -dport 53 -j REJECT would do the trick?)

I already have a route to block any internet connection to the devices on Wi-Fi if the WG tunnel goes down so those devices wouldn't be able to make DNS queries anyway, but that way the router can still make DNS queries using the non-VPN DNS when the tunnel goes down.

I will test this in a few minutes.
Normally, I set option peerdns '0' (on interfaces that support this) and don't configure any dns servers on the interfaces itself. (use 127.0.0.1 and ::1)
Instead I configure all dns servers I want to use in dnsmasq itself and set option noresolv '1'.
Now the problem is when I set option noresolv '0' and configure the default path for resolv file,
the dnsmasq init script is complaining that it can't create the dhcp.lease file. Strange...
I make a new build with ujail (and seccomp) disabled, because I also have some other problems with it. For example some folders/files not added to the jail. And I currently have no time to fix this.
In a few minutes the build is ready then I will test it...

I think you also want to use the INPUT chain.
You can also use the interface instead of the ipv6 address

ip6tables -I INPUT -i br-lan -dport 53 -j REJECT

But actually... the better solution would be: to stop odhcpd from advertising the router ip as dns server.

1 Like

As long as you provide a different NS with option 6, OpenWrt is not advertising itself as DNS in the LAN. Blocking port 53 with firewall can create other problems, it is better to redirect the queries that accidentally came to the router.
I believe that the problem is mostly the hardcoded Google DNS in Android devices. I am using as NS a couple of Piholes in the LAN and I hijack on the router anything on port 53 that tries to bypass them. From the logs I can see only Google DNS attempts.

@trendy

OP wants to use the DNS server that are reachable through wireguard tunnel only. (Security/Privacy?)
Apparently the wg tunnel is ipv4 only (?)
So there is no way to redirect the IPv6 DNS requests to the wg dns server.
Maybe with some NAT64...

How to provide no dns servers through odhcpd?

Other solution:

Configure dnsmasq to use the wireguard DNS Server and set option noresolv '1'
Then set up some iptables rules to force dns requests to the router. (Ipv4/IPv6)
Only problem here is when the wg tunnel goes down no dns resolves are possible.

//edit
@User1426
Regarding the dns server that is uses on the router:
/etc/config/network
wan interface:

....
option peerdns '0'
option dns '8.8.8.8'
....

/etc/config/dhcp

...
option noresolv '1'
...

cat /tmp/resolv.conf

# Interface wan
nameserver 8.8.8.8

nslookup google.de

Server:         8.8.8.8
Address:        8.8.8.8#53

Name:      google.de
Address 1: 172.217.22.67
Address 2: 2a00:1450:4001:81c::2003

Seems to work as expected.
But you have to restart the entire work, restarting dnsmasq is not enough.
/etc/init.d/network restart
But by doing this the router will not be able to resolve internal dns names.

1 Like

Nope. So either he should configure the IPv6 properly with the Nameservers, or to disable it.

I guess he can advertise the Mullvad dns. Or use v4 NS in the DNS list for v6. I just tried it.

1 Like

Sorry, I missed that post :smile:

Good to know that this works. Thank you!

2 Likes

I tried putting the IPv4 DNS in the advertised DNS servers for IPv6, but it still went through the router's main DNS. I ended up disabling dnsmasq from listening on my Wi-Fi VLAN, and now all the devices are querying the VPN DNS as expected.

Edit: I didn't realize at the time that if I disabled dnsmasq on that interface, it would disable DHCP as well as DNS. Is there any way to disable dnsmasq for DNS but continue to have DHCP?

Not directly.
You can change the port to a different one. (But I'm not sure if this will also disable DHCP... There was some oddity with dnsmasq regarding port changing.)
But then the clients have to wait for timeout when doing dns lookups
Or reject (not drop) with iptables.

Did you try the solution above?
Setting option noresolv '1' and configure dnsmasq to only use VPN dns via list servers option?

There is also the possibility to configure a second dnsmasq instance (that only uses the VPN dns) with a different port.
Then use iptables to redirect to this instance.
You can adjust the rule to only redirect specific devices.

1 Like

Thank you! I set noresolv to 0, then manually set the DNS in dnsmasq to my VPN DNS, after that I set a route for the router to reach the VPN DNS (I used ip route add 10.64.0.0/24 dev WG ) and now all devices are using 192.168.1.1 as DNS and it's forwarding to the VPN DNS perfectly! I set the DNS forwarding in dnsmasq globally, if I wanted to set it per interface do I need to create a new file or can I add the list server directives in the /etc/config/dhcp file?

Do a search in the forum for "multiple dnsmasq" and you'll be able to run more than 1 instances of dnsmasq for each interface.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.