probably but from where... I have a good setup
1 Like
I am a happy user of HTTPS DNS Proxy (amongst many) and do not have any leak.
To see if your router is using DNS53 you can simply do:
cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3
Install watch and you can do:
watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3"
Even if there is DNS53 traffic you should not see your ISP DNS unless you misconfigured or your ISP is hijacking DNS.
cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3
ipv4 2 udp 17 50 src=192.168.1.151 dst=8.8.8.8 sport=60445 dport=53 packets=2 bytes=120 src=192.168.1.1 dst=192.168.1.151 sport=53 dport=60445 packets=2 bytes=136 mark=0 zone=0 use=2
But still; this is happening to all devices on the lan?
yes, cellphone, pc, ipad
I configured now with dnsproxy and it is the same
you mean that watch CONFIG_BUSYBOX_DEFAULT_WATCH is not set
So at least this IP address tries to reach 8.8.8.8, what is this device?
Chromecast or other google related device (SmartTV , IoT)?
1 Like
Read this because your dns config is scripted differently plus you have a guest network set up to use the ISP assigned DNS.
That is one way to get watch the other is to install:
https://openwrt.org/packages/pkgdata/procps-ng-watch
I do not have it myself installed so am not sure.
google home mini
The DNS hijacking rule should take care of that and it looks like your router answers so that should be good.
To check if you DNS hijacking rule works set a laptop/PC to a custom DNS address of 8.8.8.8 and see with ipleak.net what DNS answers
If it is Google your DNS hijacking is not working
I removed my guest network and still the same
custom dns in WAN?
curently I have 9.9.9.9, and I need to stop my http-dns-proxy?
No just set the DNS on your Lan client e.g. your laptop/PC.
Then on that same LAN client check the DNS with ipleak.net.
If it shows 9.9.9.9 you know that the DNS hijacking is working.
If it shows google then you have to check your DNS hijacking rule(s)
1 Like
done, I see my dns from dnsproxy (cloudflare) and the one from my isp. No 8.8.8.8 and no 9.9.9.9
Then can we see all changes since the 8th?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
If the DNS hijacking idea is still a possibility, you could try logging your WAN interface, LAN interface and WireGuard interface for DNS queries.
Something like this:
tcpdump -n -i eth0.1 -i wg0 -w logfile.pacp port 53
"-n" makes tcpdump not resolve domain names for every package's source and destination.
"-i" tells tcpdump which interface to watch, can be multiple of those
"port 53" is DNS
"-w" doesn't log to the console but creates a pcap file that can be opened in Wireshark and easily analyzed
This might tell you:
- Which queries are issued by your computer
- Which queries are issued by your router
- Which DNS server is asked
- What domain is the particular query trying to resolve
- What IP a domain is resolved for
When you log all potential interfaces at the same time, you might be able to find out:
- Does your computer actually use the DNS server you told it to use?
- If your computer uses another DNS server?
- If your computer uses another DNS server, does your rewrite rule work?
- If every request looks fine, but you still get the wrong answer, your ISP might intercept your requests even if your ISPs DNS servers are not asked.
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.58",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Linksys E8450 (UBI)",
"board_name": "linksys,e8450-ubi",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"description": "OpenWrt SNAPSHOT",
"revision": "r27993-2915cfb626",
"target": "mediatek/mt7622",
"builddate": "1730473121"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd83:4e9f:e4ec::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option metric '5'
option peerdns '0'
list dns '9.9.9.9'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option band '2g'
option htmode 'HT40'
option channel '8'
option country 'CA'
option cell_density '0'
option txpower '28'
option noscan '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxxx'
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option he_su_beamformee '1'
option he_bss_color '8'
option cell_density '0'
option country 'CA'
option htmode 'HE80'
option txpower '27'
option channel '157'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Ni'
option encryption 'psk2'
option key 'xxxxxxxxxx'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '1'
option localuse '1'
option filter_aaaa '1'
option allservers '1'
option nonegcache '1'
option cachesize '2500'
option confdir '/tmp/dnsmasq.d'
list server '/pool.ntp.org/1.1.1.1'
list server '/time.cloudflare.com/1.1.1.1'
list server '127.0.0.1#5353'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
You've done a lot.
if none of the already supplied advice finds the leak:
Yes.
Let's see what happens if you bypass DHCP altogether.
1 Like