I see my isp dns

PerkelSimon · October 8, 2024, 7:24pm

Hi,

I don't use vpn right now but I don't understand why I see my isp dns when I make a test.

I use HTTPS DNS Proxy and also, I use those dns ;

IPv4 Upstream
Protocol: DHCP client
Address: 192.168.0.11/24
Gateway: 192.168.0.1
DNS 1: 1.1.1.1
DNS 2: 1.0.0.1

Do younhave an idea why I still see my isp dns?
thanks

frollic · October 8, 2024, 7:34pm

Depends on where you see it, doesn't it ?

PerkelSimon · October 8, 2024, 7:37pm

or

psherman · October 8, 2024, 7:48pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

PerkelSimon · October 8, 2024, 7:52pm

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.52",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r27612-7e972fe242",
		"target": "mediatek/mt7622",
		"description": "OpenWrt SNAPSHOT r27612-7e972fe242"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd83:4e9f:e4ec::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option metric '5'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option type 'bridge'
	option name 'br-guest'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option htmode 'HT40'
	option channel '8'
	option country 'CA'
	option cell_density '0'
	option txpower '28'
	option noscan '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option he_su_beamformee '1'
	option he_bss_color '8'
	option cell_density '0'
	option country 'CA'
	option htmode 'HE80'
	option txpower '27'
	option channel '157'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxxxxxxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxx'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option ssid 'xxxxx'
	option encryption 'psk2'
	option key 'xxxxxx'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'
	option localuse '1'
	option filter_aaaa '1'
	option allservers '1'
	option nonegcache '1'
	option cachesize '2500'
	option confdir '/tmp/dnsmasq.d'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'
	list doh_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5054'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest_port '67-68'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

root@OpenWrt:~#

stangri · October 9, 2024, 7:53pm

PerkelSimon:

Hi,

I don't use vpn right now but I don't understand why I see my isp dns when I make a test.

I use HTTPS DNS Proxy and also, I use those dns ;
IPv4 Upstream
Protocol: DHCP client
Address: 192.168.0.11/24
Gateway: 192.168.0.1
DNS 1: 1.1.1.1
DNS 2: 1.0.0.1
Do younhave an idea why I still see my isp dns?
thanks

Based on the config files you've posted, you only specified cloudflare DNS servers in them, not your ISP DNS servers, so it is a mystery as to why you're seeing your ISP DNS anywhere.

Without knowing your https-dns-proxy settings and which device do you test from and settings of the DNS and the browser on that device, one can only speculate.

frollic · October 9, 2024, 7:54pm

and was DNS hijacking implemented ?

PerkelSimon · October 9, 2024, 10:05pm

Yep

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'

PerkelSimon · October 9, 2024, 10:30pm

Ok but with Ignore resolv file checked and https-dns-proxy enabled + custom DNS servers in wan, I should not see the ISP DNS..

Sid · October 9, 2024, 11:27pm

Post the output of /etc/config/https-dns-proxy

Have you tried using anything other than cloudflare dns?

psherman · October 9, 2024, 11:30pm

I'm curious if your ISP might be doing dns hijacking?

What happens if you disable your router's DNS hijacking and then manually set your computer's DNS to a desired public server? Does the dns leak test still show your ISP's DNS?

PerkelSimon · October 10, 2024, 7:41pm

root@OpenWrt:~# cat /etc/config/https-dns-proxy

config main 'config'
	option canary_domains_icloud '1'
	option canary_domains_mozilla '1'
	option dnsmasq_config_update '*'
	option force_dns '1'
	list force_dns_port '53'
	list force_dns_port '853'
	option procd_trigger_wan6 '0'

config https-dns-proxy
	option bootstrap_dns '1.1.1.1,1.0.0.1'
	option resolver_url 'https://freedns.controld.com/p2'
	option listen_addr '127.0.0.1'
	option listen_port '5053'
	option user 'nobody'
	option group 'nogroup'

config https-dns-proxy
	option bootstrap_dns '8.8.8.8,8.8.4.4'
	option resolver_url 'https://dns9.quad9.net/dns-query'
	option listen_addr '127.0.0.1'
	option listen_port '5054'
	option user 'nobody'
	option group 'nogroup'

root@OpenWrt:~#

PerkelSimon · October 10, 2024, 7:51pm

same, still isp dns detected

psherman · October 10, 2024, 7:59pm

That suggests that your ISP may be doing DNS hijacking. In that case, you would need to use something like DoH/DoT/Stubby and cut off all standard DNS egress from your router.

Cthulhu88 · October 10, 2024, 8:31pm

Did you try with a different browser/system? Your browser may have your ISP DNS cached/pulled from system config and is probably doing DNS over TLS or DNS over HTTPS, which won't trigger your 'Intercept-DNS' redirection.

I believe that on Windows with DNS servers manually set and a Chromium-based browser, they still try to make DNS over HTTPS to those addresses.

PerkelSimon · October 11, 2024, 6:24pm

I use Linux and tried with Firefox and brave

Cthulhu88 · October 11, 2024, 6:48pm

Use tcpdump and catch outbound traffic to your ISP's DNS address. See if anything matches and the dst port.

stangri · October 14, 2024, 7:39pm

With peerdns disabled and you setting your wan interface to use cloudflare DNS and not having any other dns (except DoH proxy and cloudflare) in any of your OpenWrt configs, your ISP DNS must be set somewhere else (and must not use the port 53 or it would have been hijacked by DoH proxy) or your client must have used an alternative connection or an encrypted tunnel with ISP DNS set up.

I'd test for DNS leak from as many other LAN clients as possible to see if you get different results.

PerkelSimon · October 31, 2024, 8:57pm

I only see it from that test : https://browserleaks.com/dns

stangri · October 31, 2024, 9:09pm

Doesn't matter which test is it, there's no ISP DNS anywhere in the settings you produced, it must be coming from somewhere else if you see it.