How do i fix the DNS leak

(For the sms gateway question check my last message here. I did post my setup here, so helping should be easier here then another thread, so you have my setup info, interface, etc.)

I'm running the latest openwrt so no issues there.

How do i fix the DNS leak in openwrt after your extended test here?

https://www.dnsleaktest.com

I set up openwrt like this:

Then this guide:

And i added some dns adress in openwrt. Please tell me how to fix this i have tried four hours. Cant get past the test. Any solutions? Thanks!

Here is some info!
uqmi -d /dev/cdc-wdm0 --get-current-settings
{
"pdp-type": "ipv4",
"ip-family": "ipv4",
"mtu": 1500,
"ipv4": {
"ip": "100.",
"dns1": "80.",
"dns2": "80.
",
"gateway": "100.
*",
"subnet": "255.255.255.0"
},
"ipv6": {

},
"domain-names": {
	
}

}

ip route show
0.0.0.0/1 via 10.1**.0.1 dev tun0
default via 100...* dev wwan0 src 100...*
10..0.0/22 dev tun0 scope link src 10..0.***
100..4.0/24 dev wwan0 scope link src 100..4.***
128.0.0.0/1 via 10..0.1 dev tun0
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
2
.
.. via 100...* dev wwan0

I'm not that good at technology i kinda despise it.. Doing my best. Please help me out. Appreciated!
The dns that leaked is mostly on the same subnet as my provider, but it's still a DNS leak. Should be easy to fix in the router, right?! How do i fix this, it's driving me crazy.. Technology :confused: It's a pain!!! Overall. Societies where better without it.
To add your own or a VPN's own DNS servers and block DNS leaks should be easy to do in the router right? It's openwrt, it should be easy. What am i doing wrong here? Why is this not way way easier to set up then this? Add it's own option or something. "DNS leaks, add your VPN's DNS option fixed field in openwrt"
I mean there are one option where i did put the VPN dns, and it works to some extent, but that leak test, i don't even know how it works, if people use a VPN with openwrt, and get past the extended test, please help me to fix the leak. I found the commands from guides and such online, i have no idea about what i'm doing really. Tech needs to be simplified.. a dns fix leak button. I saw like thousands of thread about dns leaks so something is "wrong" with the design probably. It's almost not worth it hehe.. It's open source sure.. fun when stuff works, but it takes up allot of time and energy!
So a DNS leak would be nice to fix.

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

1 Like

Thanks very much, but do i add all of those? If you check my link i have this setup..

The guide says:
" Step 4: Set the 4G interface as default WAN

Note, on the previous screenshot there's a wired WAN interface on eth0. We will need to delete this interface and configure the 4G interface as WAN.

Click the "Delete" button next to "WAN" and confirm the deletion.

Now click "Edit" on the 4G interface => go to Firewall settings tab => Assign firewall zone => Select WAN => Save."

So i deleted the wan and used the 4g as wan in firewall... so what can i do?

I have this temporary solution now where i just edit the /etc/resolv.conf in my OS instead.
and use

 `nameserver 46.2***`

`nameserver 192.165*** etc.

And that do stop the dns leak. Should i remove that after i manage to fix what you are suggesting?
Can you write what i should do step-by-step please, when i don't have any wan.. The 4g is wan.

should i only disable it? In the 4g interface?

"Peer DNS options

Keep peer DNS enabled to improve your DNS fault tolerance.
Disable peer DNS to prevent DNS leaks if you have configured a VPN connection on OpenWrt.
Disable peer DNS to actually change your DNS provider and receive more predictable DNS replies.

"

Thanks!

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd**/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '**'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface '4g'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn '**'
	option pincode '**'
	option auth 'none'
	option pdptype 'ipv4'

config interface 'VPN'
	option proto 'none'
	option device 'tun0'
	list dns 'vpn-*dns'
	option defaultroute '0'




---


cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'



--
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 
/etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
lrwxrwxrwx    1 root     root            16 Oct 14  2022 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Aug 12 22:48 /tmp/resolv.conf
-rw-r--r--    1 root     root           111 Aug 12 22:06 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           111 Aug 12 22:06 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface 4g_4
nameserver *IPorDNSofISP**
nameserver *IPorDNSofISP**
# Interface VPN
nameserver *DNSofVPN*


Ok there you go. Now what? :slight_smile:

Try this:

uci -q delete network.4g.dns
uci add_list network.4g.dns="8.8.8.8"
uci add_list network.4g.dns="8.8.4.4"
uci set network.4g.peerdns="0"
uci commit network
/etc/init.d/network restart
1 Like

Thanks, but i should change it to the VPN dns right?
So:

uci -q delete network.4g.dns
uci add_list network.4g.dns="vpnDNS1" (this is an IP or DNS address, i edited all of the numbers here earlier and wrote text instead..)
uci add_list network.4g.dns="vpnDNS2" (this is an IP or DNS address, i edited all of the numbers here earlier and wrote text instead..)
uci set network.4g.peerdns="0"
uci commit network
/etc/init.d/network restart

right? I don't wanna use google dns, etc
Should i remove the same adresses but nameservers in the operation system then also?
/etc/resolv.conf

( obviously credits to vgaetera , for the solution, i just changed to the DNS ip, and it works perfectly! Sweet setup!)

You can use VPN DNS only when the VPN endpoint is specified by IP, otherwise use some other public DNS like Cloudflare.

Ok, well is it? I should use the vpn dns, and not google right. Also, what am i deleting? I don't have the patience to start over again you know.. I reset the router a few hours ago and started all over. I don't feel like taking chances right now :slight_smile:
I have it working without dns leak, but from the OS.. thanks

Also, i edited the ip address and wrote the text earlier, but that was obvious i hope.. just thought i clarify that now. It's IP numbers and not names or letters.

First, if your problem is that you are seeing your ISP DNS server in a DNS leak test (ipleak.net, dnsleaktest.com), then make sure you disable Use DNS servers advertised by peer in the Advanced settings section of the interface ( option peerdns '0') and set Use custom DNS servers if necessary/desired.

What exactly do you mean with a DNS leak?
Usually it is not querying DNS via the tunnel, in your case where everything goes via the tunnel also your DNS requests should go via the tunnel. So you should not have a DNS leak in this sense.

If you mean with a DNS leak not using the DNS servers which are pushed from your provider or set on the interface exclusively then you could/will have a "DNS leak".

I came from another third party firmware where after the VPN (both OpenVPN and WireGuard) tunnel is up the regular public DNS servers are replaced automatically by the pushed (or set) DNS servers from the VPN provider and noticed this was not the case in OpenWRT.

I am still looking into it but if this is your problem than see my personal notes below.
For OpenVPN I use a script which does two things on ifup of the VPN tunnel:

  1. Get the pushed DNS servers from the VPN provider and create a /tmp/resolv_conf.vpn with these DNS server(s)
  2. Let DNSMasq use this new resolv file

On ifdown this is reversed.

I am still testing the script but that seems to fit my needs :slight_smile:
If you are interested there is a link in my notes below.

My personal notes on DNS leak

A DNS leak is often defined by a DNS query not going through a VPN tunnel.
But a stricter definition is a DNS query not going through the VPN tunnel and not using a specific DNS server (often a VPN provider pushes a DNS server (OpenVPN) or hands out a special DNS server to use for WireGuard, (those DNS servers are often only available when using the tunnel so cannot be used for normal DNS via the WAN) .

If you are only interested in sending DNS queries via the tunnel then you will have no problem if the VPN is the default route as everything will go through the VPN including DNS requests form the router.

If you want to use the DNS server pushed by your provider in case of OpenVPN or the DNS servers you entered in the WG interface then you are out of luck.
There is a solution but you need to add a script to the router.
Please read on

How DNSMasq works in OpenWRT
This applies when using DNSMasq to do the DNS resolving by means of a resolv.conf file which contains the DNS servers set on the active interfaces.
There is a sorting of the DNS servers the more weight you add the more the DNS servers will go down to the bottom of the file.

My WAN has two DNS servers with weight 20

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
list dns '1.0.0.1'
option dns_metric '20'

My resolv.conf file (/tmp/resolv.conf.d/resolv.conf.auto) will show those and those are the ones which DNSMasq is using:
root@DL-WRX36:~# cat /tmp/resolv.conf.d/resolv.conf.auto

Interface wan6

Interface wan

nameserver 9.9.9.9
nameserver 1.0.0.1

When I activate my WG interface with DNS server and also weight 20, then that will be placed at the bottom of the file.
By specifying a lesser weight than the other DNS servers it will be placed at the top of the file"
Weight 20 of WG (same as WAN)

Interface wan6

Interface wan

nameserver 9.9.9.9
nameserver 1.0.0.1

Interface wgoraclecloud

nameserver 149.112.112.112

Weight 10 of WG the WG DNS servers are now on top

Interface wgoraclecloud

nameserver 149.112.112.112

Interface wan

nameserver 9.9.9.9
nameserver 1.0.0.1

But it does not matter at what place a DNS server is as DNSMasq will query all servers and chooses the fastest one.
Wait, but DNSMasq has a strict-order setting from the MAN page:
-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

Does this help?
Only a bit, strict-order is not very reliable and when testing you will see queries using other DNS servers as well.
Strict-order easily gives up and tries the next DNS servers, there was even a DNSMasq version (2.86?) where it was not working at all.

So using DNS weight and strict order is not a reliable way to prevent DNS leaks.
There are scripts available on the forum which on ifup of the interface replace the DNS servers in the resolv config file with the ones of the interface so that you exclusively use the correct DNS servers.
An example can be found here. This script not only set the DNS servers of the WireGuard interface to use exclusively by DNSMasq but also always routes those via the VPN so that you should never have a DNS leak.

The above example was about WireGuard which has its own interface defined, but what about OpenVPN?
The OpenVPN clients interface is setup by OpenVPN so you cannot define a DNS server as far as I know. But an OpenVPN server e.g. from your provider can (and often does) push a DNS server to use to your client.
Unfortunately OpenWRT does not seem do anything by default with these pushed DNS servers.
If you want to use those you have to add a script.
There are several available I use this one which sets pushed or used DNS servers from the OpenVPN client exclusively to use by DNSMasq and also always routes the DNS server via the tunnel so that you will not have a DNS leak.
.

2 Likes

I think @bbxe3zfcle might imagine that seeing the DNS provider come up using dnsleaktest.com is evidence of a DNS leak. So @bbxe3zfcle may simply be chasing his tail here. Hopefully your notes will help convey that in the context of a VPN, a dnsleak is rather the DNS queries bypassing the VPN.

1 Like

Something makes me feel that there is an expectation that might be a struggle to fulfill.
If you don't know what you are doing how do you know there is a problem and if there is how would you know it was fixed?

1 Like

I did see my real ISP, so it was a DNS leak, which i fixed, but at the OS level..

I don't know much about it, but i did fix the leak.. Just not in the router, which was what i wanted.I did read the above text about scripts though, and might try that later on.
It was a problem because i saw my real ISP provider in the list earlier, until i fixed it. The extended DNS test. That site should not know what ISP i have, which it did earlier.

That did the trick!!! Tried it now. I changed to the vpn dns servers. And my /etc/resolv.conf
on my os changed to 192.168.1.1 which makes sense! Cool. No dns leaks! Fixed for now. thanks
The resolv.conf had the dns servers earlier with me temporary fix, but now they just switched place! Sweet! Nice setup. I marked it as solution!

Too bad you didn’t credit @vgaetera.

1 Like

haha. I wrote thank you too him, and it's the same thread.. I mean, sure i could use his post, but he wrote the google dns, and i wrote the DNS ip. So my solution was the right one... I can credit him though. No big deal, i thought did. :slight_smile:

2 posts were merged into an existing topic: Set up receive and send sms over terminal or gui

Probably mmcli can be leveraged for what you need - see e.g.:

Otherwise the OpenWrt way, I think, is just to try stuff out yourself and thereby learn, and ask questions along the way when stuck. I doubt anybody is going to take the time to write a step by step guide in answer to your question @bbxe3zfcle, although someone might consider doing so in exchange for e.g. £500.

If your goal is to obscure what server are you using for name resolution, have you considered encrypting DNS requests by using something like https-dns-proxy? Using the test you linked it clearly didn't detect "my ISP server".

1 Like