[solved] WireGuard client configuration and DNS

I have configured Stubby for DNS over TLS (DoT).
This is actually replacing unbound.

The output of dig dnssectest.sidn.nl +dnssec +multi @<OpenWrt-Gateway-IP-Address> confirms that DNSSEC validation works.

$ dig dnssectest.sidn.nl +dnssec +multi @

; <<>> DiG 9.18.4 <<>> dnssectest.sidn.nl +dnssec +multi @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44247
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 1232
;dnssectest.sidn.nl.	IN A

dnssectest.sidn.nl.	3600 IN	A
dnssectest.sidn.nl.	3600 IN	RRSIG A 13 3 3600 (
				20220708232610 20220623230558 12678 sidn.nl.
				tUzRWB4rQAjPvai+diXfWnpZebx6rSszWYcRXHjP5A== )
dnssectest.sidn.nl.	3600 IN	RRSIG A 13 3 3600 (
				20220708232610 20220623230558 43647 sidn.nl.
				kMHH0kwksAfWesjb4V3biLPPSdRng1cgTf/OURaA9w== )

;; Query time: 99 msec
;; WHEN: Sat Jun 25 16:34:58 CEST 2022
;; MSG SIZE  rcvd: 269

Now I have started setup of OpenWrt WireGuard for provider IVPN based on this guide.
This VPN provider instructs to
[...] uncheck the Use DNS servers advertised by peer and specify one of the following DNS servers in the Use custom DNS servers field: = regular DNS with no blocking = standard AntiTracker to block advertising and malware domains = Hardcore Mode AntiTracker to also block Google and Facebook domains

My understanding is that this settings using VPN's DNS servers should prevent DNS leaks.
However I thought that my setup with Stubby would prevent DNS leaks, too.

Could you please comment which DNS setup is reasonable and recommended?



DNS over X only means that DNS query/reply traffic using alternative method instead traditional DNS over well-known port 53 hence can overcome DNS traffic hijacking or blocking.
DNSSEC is a security extension for regular DNS: it guarantees that query-reply traffic is not manipulated by man in middle but it does not guarantee privacy. Whoever your upstream DNS provider can still log for example your queries.

depending on your DNS upstream server DNSSEC will not be enough for full privacy if that's your concern. your VPN provider may provide log-less, no tracking DNS service but you should check with them.

Does this imply that I should follow the recommendation and setup IVPN's setup for DNS server?

if you trust in your VPN provider and antitracker means what it suggests and your concern is full privacy then probably use your VPN provider.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.