ubuntu too ? Do you really think that I do not know what is google DNS?
87.xx.xxx.x
86.xxx.xx.x
that's what they look like,ISP DNS (which I has hidden)
and these rules don't work for me.
Have you configured these nameservers in your Ubuntu manually?
I could not find these NS addresses in the capture you provided though, just the Google ones.
Post here the output of iptables -t nat -L -vn
Try to resolve something with ISP or Google nameservers and run again the above command to verify if the counters increased since last time.
Also post once again the /etc/config/network, /etc/config/dhcp as well as /etc/resolv.conf and /tmp/resolv* to make sure that we didn't miss anything.
what kind ? google DNS - not, ISP - not. in the first test, post N35 - yes, what kind(google DNS was installed in settings).
iptables -t nat -L -vn
kris@pc:~$ ssh root@192.168.99.1
root@192.168.99.1's password:
BusyBox v1.28.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.1, r7258-5eb055306f
-----------------------------------------------------
root@OpenWrt:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 6055 packets, 955K bytes)
pkts bytes target prot opt in out source destination
6055 955K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
1215 115K zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
4839 841K zone_wan_prerouting all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1 115 zone_WGZONE_prerouting all -- WGINTERFACE * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 34 packets, 16044 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 581 packets, 45312 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9 packets, 1888 bytes)
pkts bytes target prot opt in out source destination
1543 113K postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
7 1742 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
181 12131 zone_wan_postrouting all -- * eth0.1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1353 98787 zone_WGZONE_postrouting all -- * WGINTERFACE 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_WGZONE_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_WGZONE_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_WGZONE_postrouting (1 references)
pkts bytes target prot opt in out source destination
1353 98787 postrouting_WGZONE_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom WGZONE postrouting rule chain */
1353 98787 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_WGZONE_prerouting (1 references)
pkts bytes target prot opt in out source destination
1 115 prerouting_WGZONE_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom WGZONE prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
7 1742 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
1215 115K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
181 12131 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
181 12131 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
4839 841K prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
root@OpenWrt:~#
/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,10.64.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/resolv.conf
search lan
nameserver 127.0.0.1
/tmp/resolv.conf
search lan
nameserver 127.0.0.1
/tmp/resolv.conf.auto
# Interface wan
nameserver 192.168.100.1
resolve via OpenDNS, add to WAN custom DNS 208.67.222.222 and 208.67.220.220
There is some confusion here.
You mentioned that the iptables commands don't work for you but I don't see them applied in the output of iptables -t nat -L -vn
Other than that, don't enable the custom NS in Luci. Leave the configuration as it is, allowing only 10.64.0.1 as NS and run the command as specified on post 23. This will use a custom NS just for this test, to verify that the dnshijack rules work. If you enable them globally, it is expected behavior to try to use them and you will see these dnsleaks.
I deleted them because yesterday they (rules) did not help me.
iptables -t nat -L -vn
root@192.168.99.1's password:
BusyBox v1.28.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.1, r7258-5eb055306f
-----------------------------------------------------
root@OpenWrt:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 339 packets, 44430 bytes)
pkts bytes target prot opt in out source destination
404 48682 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
318 33542 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
63 12603 zone_wan_prerouting all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
23 2537 zone_WGZONE_prerouting all -- WGINTERFACE * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 23 packets, 2441 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 177 packets, 13403 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 20 packets, 2130 bytes)
pkts bytes target prot opt in out source destination
356 25599 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
4 1044 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
80 5637 zone_wan_postrouting all -- * eth0.1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
256 17832 zone_WGZONE_postrouting all -- * WGINTERFACE 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain dnshijack (2 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain postrouting_WGZONE_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_WGZONE_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
65 4252 ACCEPT udp -- * * 0.0.0.0/0 10.64.0.1 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.64.0.1 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.99.1 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.99.1 tcp dpt:53
0 0 dnshijack udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 dnshijack tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_WGZONE_postrouting (1 references)
pkts bytes target prot opt in out source destination
256 17832 postrouting_WGZONE_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom WGZONE postrouting rule chain */
256 17832 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_WGZONE_prerouting (1 references)
pkts bytes target prot opt in out source destination
23 2537 prerouting_WGZONE_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom WGZONE prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
4 1044 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
318 33542 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
80 5637 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
80 5637 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
63 12603 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
root@OpenWrt:~#
10.64.0.1 is allowed in DHCP and DNS, need add to WAN ?
update post
10.64.0.1 added only in DHCP
root@OpenWrt:~# nslookup www.google.com 10.64.0.1
Server: 10.64.0.1
Address: 10.64.0.1#53
Name: www.google.com
Address 1: 216.58.213.228
Address 2: 2a00:1450:4005:80a::2004
root@OpenWrt:~#
Looks great.
You could omit advertising the 10.64.0.1 via DHCP to the LAN. This way you can use dnsmasq on openwrt as caching NS. But this is up to you.
Rules are applied correctly and so far only the 10.64.0.1 is used. Resolving on the router is also allowed. If any other NS is used, the packets in dnshijack will increase and will be sent to dnsmasq NS for resolving.
You can verify that everything works properly by trying to override the 2 allowed NS. Run the command nslookup www.google.com 8.8.8.8
You'll see that the packets and bytes of dnshijack chain won't be 0 anymore and your request will be answered by your designated NS.
Example from my setup:
Ubuntu PC
trendy@garida:[~]$nslookup www.in.gr 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.in.gr
Address: 213.133.127.247
Name: www.in.gr
Address: 213.133.127.245
However on the router:
root@xeli:~# tcpdump -i pppoe-wan -vv -n udp dst port 53
tcpdump: listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:21:11.130252 IP (tos 0x0, ttl 63, id 30110, offset 0, flags [DF], proto UDP (17), length 55)
ROUTER_IP.25793 > ISP_NS.53: [udp sum ok] 53375+ A? www.in.gr. (27)
20:21:11.373222 IP (tos 0x0, ttl 63, id 30125, offset 0, flags [DF], proto UDP (17), length 55)
ROUTER_IP.25996 > ISP_NS.53: [udp sum ok] 11064+ AAAA? www.in.gr. (27)
Yes, i have the same answer
tcpdump -i eth0.1 -vv -n udp dst port 53
puzzle, I still have dns leak.
Often the case that these two sites dnsleaktest.com and dnsleak.io show only DNS vpn, but after test "check anonymity" on this site https://2ip.io/privacy/ (on which is visible my ISP DNS , first two (dnsleaktest.com and dnsleak.io) begin to see too also ISP NS's
https://am.i.mullvad.net/ also here i see DNS leak
also with these firewall rules on site https://am.i.mullvad.net/ constantly have DNS leak, but without them, through time.
What are the addresses 192.168.100.1 and 7, and why are you running the tcpdump on the wan interface and not on WGINTERFACE?
This is address which give to my router a ISP router, through lan.
192.168.100.1 - ISP router
192.168.100.7 - OpenWrt router
thought, maybe there there is useful information
Your router is querying the ISP router for DNS, this is not right. You should have removed the option to get NS from WAN router option peerdns '0'
You have already configured the VPN NS to be used in dnsmasq, and according to your expectations only this one should be used.
add to wan section, right?
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option peerdns '0'
added, all the same have leak
What is the content of /tmp/resolv.conf.auto ?
Did you restart the network?
nameserver 192.168.100.1
reboot router
this need add to .../ dhcp or /network ? i added to /dhcp
You don't need to reboot the router.
/etc/init.d/network restart is enough.
On the WAN interface.
Also make sure you have not added anywhere the 192.168.100.1 as custom NS.
how do i delete this rule? internet off
i am nowhere did not added 192.168.100.1
I do not want to use ISP NS
Then use the peerdns=0 option on WAN interface, use IP when you connect to VPN (or make a hosts entry), and make sure that VPN is running, otherwise you won't have internet.
1 Like