So i'm trying to setup something but i have some difficulties understanding how to make it work, maybe what i'm asking is impossible but i can always try
Currently i use a opkg luci-app-nextdns.
Now i do have a wireguard interface setup with mullvad and wish to encapsulate my nextdns traffic in this tunnel (yes i know nextdns is encrypted, but it feels wrong in practice it still goes over the wan and not via the tunnel, i can see this in the nextdns website).
i just want to be sure my setup is safe for client side exposure lookups, ie a p2p online game where mod menus can leak very local data its probably also possible to social engineer a way it can check my dns geo and my vpns if my game would expose this (game is at best really unsafe), some sites also use it as a detection mechanism to determine if you use a proxy.
The other issue is currently i also have some other interfaces like zigbee which i route through wan via Stangri's opkg package PBR i want to keep the dns route there over wan.
How would i make it so that the wgclient doesn't leak over the wan route for dns queries and still have the same nextdns instance work on networks like zigbee which go over wan, would that be possible to archive?
The DNS origin can indeed be checked, netflix, BBC, amazon etc do that to make it difficult to use a VPN.
I use a script to replace DNS forwarders when the VPN is up and route the new DNS forwarders via the tunnel, but as you are using PBR, it looks like you need 'split DNS'.
It is called EDNS Client Subnet or ECS for short. This is how CDN redirect your requests to closest datacenter but it discloses your subnet (not entire IP) to site owner. AFAIK Quad9 and Cloudflare DNS are the only who intentionally do not support ECS for privacy reasons: https://en.wikipedia.org/wiki/Public_recursive_name_server
Run following to check if your DNS discloses your subnet:
but so far it works with peerdns 0 and 10.64.0.1 in the wgclient interface if I do tracert i see:
1 <1 ms <1 ms <1 ms GL-MT6000.lan [10.34.79.1]
2 6 ms 6 ms 6 ms 10.64.0.1 <- dns
3 9 ms 7 ms 7 ms <snip>
<snip much more>
but for some reason my nextdns admin panel doesn't show the vpn ip currently I also placed the hotplug script , the strange thing is it looks that any setting with option 6 gets ignored perhaps its invalid due the missing start and end options?
expand dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.wg'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
option cachesize '1000'
config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wgclient'
option interface 'wgclient'
list dhcp_option '6,10.64.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'pcnet'
option interface 'pcnet'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'zigbee'
option interface 'zigbee'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'wlan0'
option interface 'wlan0'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'wlan1'
option interface 'wlan1'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'tvnet'
option interface 'tvnet'
option start '2'
option limit '150'
option leasetime '12h'
config dhcp 'aria'
option interface 'aria'
option start '2'
option limit '150'
option leasetime '12h'
config host
option mac '<snip>'
option ip '10.234.53.15'
option tag 'Mochabin'
config host
option name 'GS1900-24E'
option dns '1'
option mac '<snip>'
option ip '10.234.53.10'
config host
option name 'GS1900-8'
option dns '1'
option mac '<snip>'
option ip '10.234.53.20'
config domain
option name 'aria.local'
option ip '192.168.99.2'
config host
option name 'printer'
option ip '10.33.77.4'
option mac '<snip>'
config host
option name 'imperial-i200'
option dns '1'
option mac '<snip>'
config host
option name 'aqara-g2h-camera'
option dns '1'
option mac '<snip>'
config host
option name 'miclock'
option dns '1'
option mac '<snip>'
config host
option name 'dumbap'
option ip '10.234.53.3'
option mac '<snip>'
option dns '1'
config host
option mac '<snip>'
option name 'tvbox'
config dhcp 'ayaneo'
option interface 'ayaneo'
option start '2'
option limit '150'
option leasetime '12h'
config host
option name 'aqara-hub'
option mac '<snip>'
option ip '10.33.77.3'
the output of command nslookup -type=TXT whoami.ds.akahelp.net from @ timur.davletshin shows:
Server: GL-MT6000.lan
Address: 10.34.79.1
Non-authoritative answer:
whoami.ds.akahelp.net text =
"ip"
"95.179.134.211" <- nextdns
whoami.ds.akahelp.net text =
"ecs"
"<wan ip>"
whoami.ds.akahelp.net text =
"ns"
"95.179.134.211" <- nextdns
so for clients its not working yet
I'm using a snapshot for OpenWrt for the GL-MT6000
the nextdns cli invokes the current configuration with its own and uses config /tmp/dnsmasq.d/nextdns.conf.
however it does so in such way that it ignores the dhcp-option also it did not follow lan for me or other interfaces.
when I disabled nextdns and let pbr redo the routes the dns was correct , so I think the best way of fixing it would be using stubby although I really like nextdns cli but I think it will be really hard for this purpose
