I have two firewall zones: lan and guest. Clients in the lan zone are routed over a VPN (Wireguard) whilst clients in the guest zone are routed over the WAN; my ISP.
Under Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options and Network I've set 6,10.64.0.1 to use my VPN provider's resolver.
I've also set 10.64.0.1 Under Network > DHCP and DNS > Server Settings > DNS forwardings
Under Under Network > Interfaces > {WAN, WAN6} > Common Configuration > Advanced Settings > Use custom DNS, I've set the DNS.watch resolvers.
However, I see DNS leaks from the lan clients; the pertinent configs are below:
resolv.conf.auto
# Interface wan
nameserver 84.200.69.80
nameserver 84.200.70.40
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Streaming lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'mullvad wan wan6 MODEM'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'guest'
option input 'REJECT'
option network 'Guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'guest_dhcp'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest_dns'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option enabled '1'
option src 'guest'
option name 'Disable Modem Access'
option dest 'wan'
option dest_ip '192.168.2.1'
option target 'DROP'
If I check "Ignore Resolve File" under Network > DHCP and DNS > Server Settings > Resolv and Hosts Files, then lan clients no longer leak DNS queries. However, as soon as I check that, clients on the Guest network cannot resolve hostnames.
I'm sure I'm being a complete peanut, but I can't, for the life of me, figure out what's going on. I fear I may have over-complicated my set-up, so any guidance would be most welcome.
As it is now, you just send to LAN hosts the VPN nameservers. Guests and the router itself will use DNS.watch nameservers. But if you turn it off the guests won't be able to reach it, hence the malfunction.
If you don't hijack the DNS queries, LAN clients can use any NS. Usually some of them come with Google NS hardcoded (android phones and tablets), so I guess this is where the "leak" comes from.
Wouldn't that be the case if the LAN hosts queried the router instead of the VPN NS directly?
Or didn't I understand correctly what the code snippet does?
LAN hosts use directly 10.64.0.1 that is advertised from the DHCP server.
Why would there be a leak to a different resolver?
Or do you mean that they use the IPv6 NS?
Yep, option dhcp_option applies to Dnsmasq only and overrides DHCP-option-6 for DHCPv4.
So, @tectonic should also use option dns which applies to odhcpd and overrides DHCP-option-6 for DHCPv6.
In this case it may be worth replacing Dnsmasq with odhcpd for both DHCPv4 and DHCPv6.
Note that pushing 3-rd party DNS-servers via DHCP-option-6 will effectively disable Adblock.
If you need Adblock, then you should use another method.
Thanks very much, @vgaetera and @trendy for your assistance. I think I'm beginning to make sense of this. From what you've said, do I understand correctly that my DNS leaks are as a result of resolvfile which defaults to /tmp/resolv.conf.auto when not specified explicitly, and that this gets created by the WAN DHCP client.
So, setting 'Ignore Resolve File' and specifying list dhcp_option '6,84.200.69.80,84.200.70.40' for guest-zone clients fixes the leak.
However, if I'm to use Stubby for DNS over TLS, then I have to accept leaks to (e.g.) Cloudflare for lan-zone clients. The only way to get around this is to have multiple dnsmasq instances whereby the guest-zone could use Stubby, but the lan-zone could use 10.64.0.1 (and ignore resolv.conf.auto).
I'll get the first version working (i.e. without Stubby) and then have a go at the separate dnsmasq instance...
I think, think it's working. I see no DNS leaks on lan-zone clients, but guest-zone clients are using DoT and DNSSEC. Adblock is working in both zones.
Critical review appreciated: if there's anything that jumps out as 'not right', or there is scope to improve/refine, I'd gladly welcome your feedback. Otherwise, I'll mark this as 'solved'.
Possible future extension: add a 'kidsafe' network with safe-search and filtering (e.g. with OpenDNS Family Shield and the safe-search package. Note to self: list addnhosts '/etc/safe-search/enabled')
Wired clients are seeing dns failures. For example, my HDHomerun Connect logs show "webclient error (dns failed)". Similarly, my Philips Hue Bridge (also wired) cannot connect to meethue. Curiously, whilst the Hue Bridge has an IP address of 192.168.1.119, https://www.meethue.com/api/nupnp reports an IP address of 10.10.10.249.
Somehow, the multiple dnsmasq instances has messed things up. I suspect list interface and list nointerface settings are incorrect, but I can't determine what it might be.
uci set firewall.adblock_dns_53.dest_ip="$(uci get network.lan.ipaddr)"
uci set firewall.adblock_dns_guest_53.dest_ip="$(uci get network.guest.ipaddr)"
uci commit firewall
service firewall restart
Test name resolution from client PC:
nslookup example.org
Verify iptables rules.
Check that PIDs on interfaces match runtime configurations for those interfaces.
Thanks, that's been applied and seems to have sorted my HDHomerun Connect; logs there are clean now.
The Philips Hue is also connecting to the Philips cloud service, but in order to resolve it, I had to remove option noresolv '1' from config dnsmasq 'main'. This means that devices are using the list of resolvers in resolv.conf.auto. I'm back to 'square one' with the DNS leaks. Here's what I'm seeing:
If I set option noresolv '0', then the Philips Hue loses connection to the Philips cloud service, and nslookup openwrt.org shows:
So, it seems that the Hue Bridge uses UDP exclusively, and, for whatever reason, using my VPN provider's public resolver (193.138.218.74) doesn't accept UDP connections.
Is there a way by which I can enforce the order such that 193.138.218.74 is always preferred, but, if that fails, a second resolver is queried?