Policy-Based-Routing (pbr) package discussion

egc · December 22, 2025, 2:28pm

Just a first draft

Domain based routing

Why does it not work?

And what to do about it

Missing Domains

Companies use a lot of domains and subdomains and you have to catch them all using e.g. by lists on the internet or ASN lists.

e.g:

github.com/v2ray/domain-list-community

data/netflix

master

fast.com
netflix.ca
netflix.com
netflix.net
netflixinvestor.com
netflixtechblog.com
nflxext.com
nflximg.com
nflximg.net
nflxsearch.net
nflxso.net
nflxvideo.net

# DNS test
netflixdnstest0.com
netflixdnstest1.com
netflixdnstest2.com
netflixdnstest3.com
netflixdnstest4.com
netflixdnstest5.com

This file has been truncated. show original

DNS not resolving all domains dynamically

Companies often use Dynamic Domains with multiple and changing IP addresses so you have to resolve those dynamically using nftset (former IPSET)

The PBR package can use nftset to dynamically resolve Domains, see:

Welcome to docs.openwrt.melmac.ca!

Below a snippet, make sure you consult the footnotes 5 and 7 as stated

Use DNSMASQ nft sets Support

The pbr package can be configured to utilize dnsmasq’s nft sets support, which requires the dnsmasq-full package with nft sets support to be installed (see How to install dnsmasq-full). This significantly improves the start up time because dnsmasq resolves the domain names and adds them to the appropriate nft set in background. dnsmasq’s nft set also automatically adds third-level domains to the set: if domain.com is added to the policy, this policy will affect all *.domain.com subdomains. This also works for top-level domains (TLDs) as well, a policy targeting the at TLD for example, will affect all the *.at domains.
Please review the Footnotes/Known Issues section, specifically #5 and #7 and any other information in that section relevant to domain-based routing/DNS.

DNS resolving not routed accordingly

Companies and especially streaming media are actively trying to detect and stop the use of VPN, they deploy a number of mechanisms

One of those is checking the origin of the DNS request and if that is not the same as the origin of the IP address they will block you, so DNS resolution has to be routed accordingly.

See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#different-dns-servers-and-routing-per-domain

Make sure to disable Private DNS in your web browser and on your OS: Web browsers, Client OS .

A good way to test is to include ipleak.net in your domain list as that will show both your IP location and the DNS location

Other detection methods of using a VPN

Even if IP routing and DNS routing are taken care of companies deploy other tracking mechanisms such as WebRTC and other browser related tracking, so make sure you Disable WebRTC

Use in private/incognito browsing

Old DNS entries cached

DNS requests are cached so even if you have setup everything correct DNS is still resolved form the cache so you have to flush your DNS after setup (or wait some time until the cache has expired).

This can be done by rebooting the router and the Client you are testing with or:

Openwrt: service dnsmasq restart
Windows (from command line): ipconfig /flushdns
Android: Switch to other WiFi network and back again
For other systems see: https://runcloud.io/blog/flush-dns-cache

Conclusion

Domain Based routing is not easy as some companies are actively trying to block the use of VPN's so even if you tick all the boxes it might not work and you have to either try source routing or just change the default route so that your Domains can use this default route.