Need help with DNS choose

Installing and Using OpenWrt
1

I need suggestions to have different DNS for WAN.
I use ecg112 script to use vpndns from PUSH string in openvpn.
WAN uses the same dns servers as my openvpn client and I want to use DNS from my ISP.

Thanks

2

If it is only a matter of DNS server preference, you can use the DNS weight in the advanced section of the network interface configuration.
If you need to use all the DNS for different purposes, then it gets more complicated and we'll need more information about who should ask which resolver.

2 Likes
3

There are different solutions to this depending on your need, e.g. dhcp tagging for clients or interface (DNSMasq option 6), using nft rules, using the PBR app or even running multiple dnsmasq instances.

See for some information my notes: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#split-dns

2 Likes
4

Thank you for your answere.

I have read on that link and I are more confused, Don't know what I really need.
I'm using "ovpn-update-resolv-9" to read DNS from PUSH string from VPN-provider.
I have installed "pbr" and "luci-app-pbr" that seems to work, can redict name policy.
I can not choose VPN or WAN ip-number eg 192.168.1.120.

  • Different DNS to VPN and WAN
  • Route ip-number to WAN or VPN.

Thank you :slight_smile:

5

You already have the PBR app. I do not know what version you have but recent version have DNS policy, and you can let LAN clients by IP address or even whole interfaces use a specific DNS.
Also a lot of other possibilities, see:

You might need to upgrade PBR to the latest version, how to do that see:

1 Like
6

I have these packages installed.
pbr 1.1.6-22 updated to: 1.1.7-59
luci-app-pbr 1.1.6 updated to: 1.1.7-59

Seems right here, how to add remove rules?

#!/usr/sbin/nft -f

add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip daddr { 23.88.xx.xx}  goto pbr_mark_0x010000 comment "iplocation.com"
add rule inet fw4 pbr_prerouting ip daddr { 95.85.xx.xxx }  goto pbr_mark_0x010000 comment "ipleak.net"

Can't choose wan or openvpn route. nor choose different DNS

Sorry but it feels a bit confusing as everything is new to me.

7

You can set the rules in the GUI (Services > Policy Routing under DNS Policies) or change them in /etc/config/pbr if you know what you are doing see:

8

I can't 192.168.1.199 to route and choose right DNS.
I'm doing as i have read, i think....

Screenshot 2024-11-20 at 09-38-23 DEFCON - LuCI

Screenshot 2024-11-20 at 09-38-00 DEFCON - LuCI
Screenshot 2024-11-20 at 09-38-00 DEFCON - LuCI941×57 2.96 KB

Screenshot 2024-11-20 at 09-38-30 DEFCON - LuCI
Screenshot 2024-11-20 at 10-15-55 DEFCON - LuCI
Screenshot 2024-11-20 at 10-15-55 DEFCON - LuCI941×51 2.99 KB

config dns_policy
	option name 'JohanS24'
	option src_addr '192.168.1.199'
	option dest_dns '46.227.67.134'

config policy
	option name 'JohanS24'
	option src_addr '192.168.1.199'
	option interface 'Openvpn'


Wed Nov 20 09:35:34 2024 user.notice pbr [6254]: Resetting chains and sets [✓]
Wed Nov 20 09:35:34 2024 user.notice pbr [6254]: Removing routing for 'wan/eth1/100.69.0.1' [✓]
Wed Nov 20 09:35:34 2024 user.notice pbr [6254]: Removing routing for 'Openvpn/tun0/10.129.1.47' [✓]
Wed Nov 20 09:35:34 2024 user.notice pbr [6254]: pbr 1.1.7-59 (fw4 nft file mode) stopped [✓]
Wed Nov 20 09:35:35 2024 user.notice pbr [6254]: Using wan interface (on_start): wan
Wed Nov 20 09:35:35 2024 user.notice pbr [6254]: Found wan gateway (on_start): 100.69.0.1
Wed Nov 20 09:35:35 2024 user.notice pbr [6254]: Setting up routing for 'wan/eth1/100.69.0.1' [✓]
Wed Nov 20 09:35:35 2024 user.notice pbr [6254]: Setting up routing for 'Openvpn/tun0/10.129.1.47' [✓]
Wed Nov 20 09:35:35 2024 user.notice pbr [6254]: Routing 'iplocation.com' via wan [✓]
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: Routing 'ipleak.net' via wan [✓]
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: Routing 'JohanS24' via Openvpn [✓]
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: Routing 'JohanS24' DNS to 46.227.67.134 [✓]
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: Installing fw4 nft file [✓]
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: pbr 1.1.7-59 monitoring interfaces: wan Openvpn
Wed Nov 20 09:35:36 2024 user.notice pbr [6254]: pbr 1.1.7-59 (fw4 nft file mode) started with gateways: wan/eth1/100.69.0.1 Openvpn/tun0/10.129.1.47 [✓]
Wed Nov 20 09:35:37 2024 user.notice pbr: Sending reload signal to pbr due to firewall action: includes
Wed Nov 20 09:35:37 2024 user.notice pbr: Reusing the fw4 nft file.
9

Be sure to reboot first

If you are using DNS hijacking, either by implementing it or using HTTPS-DNS proxy, that will have precedence over DNS policies!
To see whether there are othe DNS hijacking policies active you can PM the result of:

nft list ruleset | grep 53
nft list ruleset

If you check DNS from JohanS24 with dnsleaktest.com what does it show?
If you do a traceroute 46.227.67.134 from JohanS24 does it route via the VPN?

10

I have PM:ed you, unsure if i done it right?

11

Your traceroute shows that the DNS server is routed via the VPN (I assume that the traceroute is done from JohanS24 and not from the router):

traceroute to 46.227.67.134 (46.227.67.134), 30 hops max, 46 byte packets
 1  10.129.0.1 (10.129.0.1)  2.754 ms  2.625 ms  2.544 ms
 2  46-227-67-129.pool.ovpn.com (46.227.67.129)  35.040 ms  37.613 ms  37.907 ms
 3  dns01.prd.kista.ovpn.com (46.227.67.134)  2.692 ms !C  2.808 ms !C  2.728 ms !

So if you do dnsleaktest.com from JohanS24 it should show something else then your default DNS server

Bottom line it looks OK :slight_smile:

12

You are right, i done it from JohanS24. Here is from router,

root@DEFCON:~# traceroute 46.227.67.134
traceroute to 46.227.67.134 (46.227.67.134), 30 hops max, 46 byte packets
 1  10.129.0.1 (10.129.0.1)  2.948 ms  2.604 ms  2.564 ms
 2  46-227-67-129.pool.ovpn.com (46.227.67.129)  17.849 ms  7.471 ms  20.889 ms
 3  dns01.prd.kista.ovpn.com (46.227.67.134)  2.725 ms !C  2.850 ms !C  2.718 ms !C

dnsleaktest.com from JohanS24 show DNS servers from my ISP

image0000001
image0000001738×282 23.8 KB

13

Make sure you have disabled Private DNS on JohanS24, many browsers and OS's use private DNS nowadays which uses DoT instead of DNS53 for resolving.
The traceroute shows that 46.227.67.134 is routed via the VPN and the DNS rules:

        chain pbr_dstnat {
                ip saddr 192.168.1.199 meta nfproto ipv4 tcp dport 53 dnat ip to 46.227.67.134:53 comment "Johan-S24"
                ip saddr 192.168.1.199 meta nfproto ipv4 udp dport 53 dnat ip to 46.227.67.134:53 comment "Johan-S24"
        }

So the PBR DNS policy should work as intended unless JohanS24 is using Private DNS