I found this on the forum, but I'm not sure how it needs to be set up in my case
I have two VPN interfaces, wireg and novpn. Usually I use wireg. Sometimes I use novpn instead. So I would like to have IP rules to send all DNS queries through wireg interface. And through novpn if this is connected, if possible.
So far I don't have any IP rules set up.
ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
I use a slightly different approach which uses routing the DNS servers via the VPN, by using a script which on ifup of the interface routes the DNS servers via the VPN.
Maybe not exactly what you are looking for but perhaps give you and idea how to deal with this.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak
wouldn't https-dns-proxy be good enough ?
plus https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns to catch it all.
I'm not sure. I don't insist on using IP rules.
How can I check whether the queries are routed through the VPN tunnel and that these queries are not bypassing the VPN tunnel?
You can look at what happens to the packets using 'tcpdump'.
Just use tcpdump -i wan to look at packets on 'wan' or tcpdump -i br-lan to look at packets on 'br-lan'.
And you can filter on DNS port 53, e.g:
tcpdump -i wan -p 53
It may be preferable though just simply to use DNS over TLS:
rather than route packets over VPN.
tcpdump or perhaps this could work?:
watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3"